Cisco Firewall :: ASA 5550 - Direct Access To Public IP Address From Inside Network?

Jan 23, 2012

We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
 
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 8.4(3) - Access To Public IP Address From Inside

May 22, 2012

I need to connect from an inside host to a host located in the DMZ zone for DNS queries. The host in the DMZ zone has a static NAT to the outside. The point now is that I would like to connect from inside to the NATed outside address, means to the public Internet address.
 
Inside host: 10.0.0.1 -> PAT for 10.0.0.0/8 to 20.0.0.254 (Outside Interface)
DMZ host: 192.168.1.1 -> NAT to outside to 20.0.0.1
 
The traffic should be 10.0.0.1 udp>1024 to 20.0.0.1 udp=53. The source IP address on the outside interface now is 20.0.0.254 (according to the PAT), the destination IP address 20.0.0.1. The DNS reply from 20.0.0.1 should go back now to 20.0.0.254 and then to the inside host 10.0.0.1.
 
I know that on the PIX it was not possible, to have outgoing traffic on the outside interface which immediately enters again the same interface. Can I realize this scenario with the ASA 8.4(3) release now?

View 1 Replies View Related

Cisco Firewall :: ASA 5550 / Basic NAT From Outside Remote-access IPSec VPN To Inside?

Mar 16, 2012

I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network.  I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y.  HTTPS/443 connectivity.  I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.
 
The Cisco tech entered the following static NAT statement to "fix" the problem - nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface. 
 
The y.y.y.y is on a remote, routed network within my private, corporate MPLS network.  My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x.  Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.The NAT statement above will break my network. How to NAT this connection without killing my Inside network?  Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.

View 1 Replies View Related

Cisco Firewall :: ASA 5550 Two ACL From Outside To Inside

May 13, 2011

I have  ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL  rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?

View 7 Replies View Related

Cisco Firewall :: ASA 5550 Inside Interface Hangs

Apr 24, 2012

the inside interface on our primary ASA seemed to "hang". It dropped all the packets it received. Because the interface didnt go down, failover didn't happen. Device's info;

-Cisco Adaptive Security Appliance Software Version 8.2(3)
-Device Manager Version 6.3(3)
-Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
-Internal ATA Compact Flash, 256MB
-BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
 
I attached a capture picture shows that traffic didnt go to the roof when the issue happened. Why the interface would "freeze" randomly?

View 1 Replies View Related

Cisco WAN :: ASA 5510 - Allow Local Network To Access Public Internet Address On DMZ

Mar 14, 2013

I have a Cisco ASA 5510 I am using ASDM 6.1
 
I have a LAN and a DMZ and an internet connection. I am using one of the internet connection IPs to host a HTTP service on a server in my DMZ.  (its the same interface as my internet connenction but a different IP to the one used for internet connectivity)
 
so say my LAN is 192.168.1.x
and my DMZ is 172.168.1.x

I can access DMZ from Lan and vice versa. when i try to access the public IP (or URL) from a pc in my LAN i get nothing.
 
I have enabled DNS rewrite (doctoring) but it is still not working. the HTTP service is available from other sites.

View 1 Replies View Related

Cisco Firewall :: Pix 535 / Traverse From Inside To Outside Public IP

May 18, 2011

I'm trying to traverse from my inside private IP address (10.x.x.x) to my public IP address translation (172.16.x.x) in order to take advantage of the ACLs that are already applied on my outside interface.  For example:
 
Host 10.0.0.1, translated to PAT pool
Server 10.0.0.5, translated to 172.16.0.1
Inside-out access-list permits ip any any
Outside-in access-list permits tcp any 172.16.0.1/32 eq 80
 
From my inside host, I can get go 10.0.0.5:80.  I can get out to the internet.  External hosts can successfully get to 172.16.0.1:80 (address scheme is theoretical).  I can do everything except for connect to 172.16.0.1:80 (the translated public IP address) from my inside host address.  I did not setup this firewall originally, but I can't see a blatant command that makes this not work.  I don't see an ACL rule matched, so I'm assuming this is an issue with NAT or some sort of security policy. I'm running a Pix 535 /w 8.0.4.  The response I got from Cisco was "create static (inside,inside) translations for every host", but that's over 300 hosts.  I have a friend running the same software set and his works as expected without these static (inside, inside) NATs. 

View 2 Replies View Related

Cisco WAN :: 2821 Cannot Access Inside Server By Its Public IP

Jul 5, 2011

The router is 2821 and is setup to perform static NAT from one internal ip address mapping to one external ip address for each of our servers (inside the LAN): [code] Servers all have internal ip addresses and each of them represented to the outside world by their public ip address with above command on the router. Here is the problem.When I'm in a server (for example 192.168.0.210) and try to access other servers by their public ip addresses (i..e. *.*.*.211) the connection fails. However, When i try to access the same server by it's private IP address (i.e. 192.168.0.211) it works!
 
My issue is i don't want to modify windows host file for a manual mapping (for example mail.mydomian.com goes to 192.168.0.211 rather than *.*.*.211) because we host many domains and just doesn't make sense to do it one by one.So we must be able to access our servers by their public IP addresses in order for us our applications works correctly.

View 10 Replies View Related

Cisco Firewall :: ASA 5510 - Connect From Inside To Web Server On DMZ With Public IP

Sep 11, 2012

I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?

View 2 Replies View Related

Cisco Firewall :: ASA5525-X / Accessing IPs Of Public Servers From Inside Interface?

Oct 30, 2012

Got an ASA5525-X with 8.6 release. We have an inside interface (10.11.1.0/24) and a DMZ interface (10.254.1.0/24). On that DMZ interface theres an SMTP server; by using the Public server feature in ASDM we created a rule so we have mapped the 10.254.1.29 internal ip to an external ip 217.x.x.x Everything is fine; working ok, but for several reasons we need to access the public ip 217.x.x.x from an inside ip (10.11.1.10). I tried to do it by creating an exemption for the dynamic nat; if i don't do that i have a 'deny ip spoof from...' message rolling on my syslogs.Seems to do the trick.....but only for pings! i ping the public ip from the inside ip, and got the reply from the internal ip on the DMZ. But if i want to telnet port 25 from inside to public; its not working.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 8.4(1) - Map Multiple Inside Hosts Ports To One Public IP?

Jun 22, 2011

I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:

host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
 
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.

View 7 Replies View Related

Cisco Firewall :: No Internet Access From Inside Network Of PIX 525?

Dec 11, 2012

I am working on pix 525, when connected through console I can access the whole internet but when i connect the pc to the inside interface i have no access to the internet. the pc can ping the pix inside interface and from pix i can ping the pc. My configuration is shown below.

PIX Version 7.2(2)
!
hostname pix
domain-name xyz.edu.pk
enable password xxxxxxxx encrypted

[code]....

View 8 Replies View Related

Cisco Firewall :: ASA5505 Cannot Access Inside Network From IPSec VPN

Jan 20, 2013

I'm trying to make a very plain and simple network with the ASA 5505, I've strated from scratch over a dozen times triyng to find where I'm going wrong.  My main goal is to simply create an IPSec VPN connection to my ASA 5505 and simply ping and connect to devices with the "inside network", so far I can easily create and establish a IPSec VPN Connection, but up to this point, I cannot successfully ping or access a single device on the ASA 5505 inside network.I've taken, create the IPSec profile with the ASDM wizard, add exemption for the VPN IP Pool, add access-list from this Cisco link, url...All this and I can't make a single connection to the inside network.  [code]

View 7 Replies View Related

Cisco Firewall :: Access And Ping Inside Interface Of ASA5505 From Remote Network?

Sep 13, 2012

I am trying to access and ping the inside interface of a ASA5505 from a remote network.  From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface.  From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP.  When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
 
Here are the subnets involved and the ASA5505 config.
 
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24

[code]....

View 1 Replies View Related

Cisco Firewall :: ASA 5550 - Traffic For External IP Address Does Not Arrive

Aug 24, 2011

We have a new Cisco ASA 5550 that I am trying to configure.  We are currently using a borderware firewall.
 
We have multiple external IP addresses and I can NAT traffic from all except for our external interface IP address.
 
When watching the packets in the ADSM monitor if the IP address is our external IP then I see nothing unless it is ICMP.  I can ping the IP address just cannot do anything else with it.
 
All the rest of our provided IP addresses can be NATed and work correctly.
 
Traffic for our external interface IP does show up when we use the borderware firewall so we know the traffic is getting here.

View 6 Replies View Related

Broadband :: Re-direct A Public Router To Port?

Aug 20, 2011

I am trying to remotely access my PC from my HP Touchpad. I have program to do that but my public router is blocking access. The program says to redirect that router to port 5900. Since it is a public router I can't find how to access the public router to redirect it.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 With Windows UAG Direct Access In DMZ?

Dec 16, 2010

I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?

View 7 Replies View Related

Cisco Firewall :: ASA 5505 / How To Direct A 2 Sub Network To 2 Different ISP

Jul 26, 2011

With an ASA 5505, i would l like to guide a sub network to an ISP and another sub network to the other ISP.i have 2 differents ISP.My major problem is the metric. I tried with access-list command to force the way out, but it seems that "metric" is stronger than "access-list".I don't know how to manage such LAB. is that possible with ASA 5505 appliance?

View 9 Replies View Related

Cisco Firewall :: 80 / 443 - How To NAT Public Address To DMZ

May 13, 2011

1. how do I nat a public address to a dmz address.

2. how do I open port 80/443 in the public to this address?

View 1 Replies View Related

Cisco Firewall :: ASA5510 All Inside IPs Have Same MAC Address

Sep 27, 2011

My customer has a 5510 with the inside interface connected to a routed port on a Cat3560G.When I look at the arp cache on the 5510 all inside IPs have the MAC of the 3560's routed port. [code]

View 6 Replies View Related

D-Link DCS Network Camera :: 2121 - How To Access Direct URL

Dec 9, 2010

I've just got my DCS-2121 up and working. But i can't figureout how to access the direct URL for the camera?And is there a URL for still images aswell?I got an iPad and an iPhone, but i can't access the camera because it use Java.I had another DCS-900 where i could access IMAGE.jpg and Video.cgi. Is there anything like those for the DCS-2121?

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - Forward Address Outside / Inside?

Feb 27, 2011

I have a cisco asa 5505 and i need a public ip address on the inside of my network without NAT. for example: I can create a static nat translation rule, but this is not what i need.
 
isp -> x.x.x.1 /29 (outside asa)  (inside network) x.x.x.2 /29
 
Is this possible?

View 1 Replies View Related

Cisco Switching/Routing :: RV042 - Direct One Computer On Network To Access Particular WAN

Sep 1, 2011

I have a RV042 Dual WAN router.  What I would like to be able to do is to direct a computer on my network to access one particular WAN.  For example, WAN1 is a DSL line and WAN2 is a cable line.  I would like to direct a computer on our LAN to access the cable line always, even though I have Smart Link Backup set to WAN1.  Is this possible?

View 6 Replies View Related

Cisco Security :: ASA 5550 / Communication Between Servers On DMZ And Inside?

Feb 15, 2012

We have ASA 5550, I have a citirx server in the dmz which is natted statically to a public ip address for port 443. The dmz server communicate with our internal server (i.e. AD) for LDAP authentication. I have a static transparent nat from inside to dmz for the internal server's communcation with dmz.

When accessing the application from inside the network on the internal web server it works perfectly fine and authenticates with the AD.But when accessing from outside, the reach the citrix server and then the AD authentication fails, basically it works intermitantly. I have tried to check the communcation from the DMZ server to the internal server and the icmp works perfectly fine, even I am able to telnet on the ports specified on the internal servers from the DMZ servers. I tried to look into the logs on the ASA and this is something that looks suspicious to me.
  
Feb 16 Teardown TCP connection 47646475 for dmz1:CITRIX-DMZ1/47179 to inside:inside-server/80 duration 0:00:00 bytes 1230 TCP FINs
Feb 16Built inbound TCP connection 47646476 for dmz1:CITRIX-DMZ1/47180 (CITRIX-DMZ1/47180) to inside:inside-server/80 (inside-server/80)
Feb 16Teardown TCP connection 47646476 for dmz1:CITRIX-DMZ1/47180 to inside:inside-server/80 duration 0:00:00 bytes 3824 TCP FINs
Feb 16Built inbound TCP connection 47646477 for dmz1:CITRIX-DMZ1/47181 (CITRIX-DMZ1/47181) to inside:inside-server/80 (inside-server/80)
Feb 16 Teardown TCP connection 47646477 for dmz1:CITRIX-DMZ1/47181 to inside:inside-server/80 duration 0:00:00 bytes 1224 TCP FINs

[code]....

View 2 Replies View Related

Cisco Firewall :: ASA5520 - Cannot Use Public NAT Address From Any Of Other Interfaces

May 31, 2012

I'm having a weird issue with an ASA 5520 (Ver. 8.2) of a customer. The scenario is as follows:
 
There is a sub net (on a sub interface) "Guest" which basically is allowed unlimited access to the internet. Traffic is source Na Ted through the ASA to the outside interface. This works fine.
 
There is on the "inside" interface a server which can be accessed from the outside via a public IP address. On the ASA this is implemented as a static NAT entry. This also works fine.
 
Now the customer wants to access the server on the inside from a client of the "Guest" interface using the public (Na Ted) IP address. Reason for this is, they have an application with hard programmed IP address inside and want to run some life tests. However, this kind of traffic seems not to be passing through the ASA.
 
What I have tried so far:
 
- examined, if a hairpin scenario could be applied here, but it seems not, as I have traffic traveling between interfaces not out and in to the same interface.
- enabled the option "enable traffic between two or more interfaces which are configured with same security levels" and also "enable traffic between two or more hosts connected to the same interface"
- when I use the real addresses of the host, it works, so it shouldn't be an issue with the firewall rules
 
So any reason why I cannot use the public NAT address from any of the other interfaces?

View 3 Replies View Related

Cisco Firewall :: ASA 5505 - Public Static IP Address And DMZ

Feb 3, 2013

I have ASA 5505 with basic licence, v9.1, ASDM 7.1. I want to create the DMZ for a web server.
 
The interface 0 is for the outside network The interface 6 is for the DMZ All other interfaces are for the inside network
 
My ISP provided me with one public static IP address, one gateway address and a subnet mask 255.255.255.252
 
1/ I would like to ask which interface I should assign the public static IP address to. Should it be assigned to the outside interface 0, or should it be assigned to the DMZ interface 6, while outside interface would be configured to use DHCP?
 
I tried to assign the static IP address to the outside interface first, but then when I used ASDM the “Public Servers” feature to configure NAT, I get error message that the outside interface and the public address cannot have the same IP address.
 
2/ For the sake of peace of mind, I am thinking about using the second firewall, which would be used only for the inside network. Can I connect this second firewall to one of the inside interfaces of the 1st firewall,

View 4 Replies View Related

Cisco VPN :: When Try To Access Inside Resource From VPN Address ASA 5505 Blocks It

May 8, 2012

I have a newly aquired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.
 
Specific error is:5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure
 
Here is my config.
 
: Saved:ASA Version 8.2(2) !hostname asawooddomain-name wood.localenable password W/KqlBn3sSTvaD0T encryptedpasswd W/KqlBn3sSTvaD0T encryptednamesname 192.168.1.117 kylewooddesk description kyle!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa822-k8.binftp mode passivedns server-group DefaultDNSdomain-name wood.localobject-group service rdp tcpdescription rdp accessport-object eq 3389access-list outside_access_in extended permit tcp any interface outside eq 3389 access-list outside_access_in extended permit tcp any interface outside eq 8080 access-list outside_access_in extended

[code].....

View 2 Replies View Related

Cisco Firewall :: Not Able To Access ASA 5550 Through ASDM

Apr 22, 2013

We are having Cisco ASA 5550 appliance. from some days i am not able to access this ASA using ASDM. I am able to access ASA using SSH.[code]
 
At the same time standby firewall works perfectly fine with ASDM. I have tried by reloding the firewall, then it worked for 2 days & again stopped working.

View 6 Replies View Related

Cisco Firewall :: ASA 5525X - Multiple Outside Addresses PAT To One Inside Address

Apr 30, 2013

I am trying to get two external addresses to PAT to different ports on the same address in the dmz.
 
Object NAT is configured as follows:
 
object network Obj-192.168.1.20-1
nat (dmz,outside) static Obj-External-1 service tcp https https
object network Onj-192.168.1.20-2
nat (dmz,outside) static Obj-External-2 service tcp 2000 https
 
Obj-192.168.1.20-1 and Obj-192.168.1.20-2 contain the same host address.
 
The idea being that traffic destined for Obj-External-1 on port 443 will be forwarded to Obj-192.168.1.20-1 on port 443. Traffic for Obj-External-2 on port 443 will be forwarded to Obj-192.168.20-2 on port 2000.
 
Traffic for the first object, Obj-192.168.1.20-1, works but traffic for the second does not.

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Permit Traffic To Inside Via MAC - Address?

Apr 6, 2011

I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?  I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.  I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.

View 2 Replies View Related

Cisco Firewall :: 5510 - Duplicate IP Address With ASA Inside Interface

Apr 5, 2012

We've had issues with our Exchange 2010 server (running on ESXi 4.1) since its default gateway was changed to our new ASA 5510.  They manifested as frequent Outlook client connection dropouts or as IP address conflicts whenever Exchange was rebooted.  The temporary fix was to disable the Exchange server NIC, bounce the ASA and enable the server's NIC again.  We saw poor performance from Exchange after a while again, but after some research and testing I realised that disabling proxyarp on the inside interface fixed the problem permanently.
 
However I've now realised that the client VPN no longer routes properly because proxyarp is disabled on the inside interface, so I still have a problem.

View 10 Replies View Related

Cisco VPN :: 5510 - Changed Public IP Address / No Access On Native LAN

Jul 11, 2012

i'm running a 5510 asa and the vpn has been working great for a while.   We recently change our network provider so i had to change the public ip, and dns on the firewall... now i can still connect via the vpn and browse accross my mpls to other sites, but cant really access anything on the native lan that the firewall resides on?

View 9 Replies View Related

Cisco Firewall :: ASA 5505 Port Redirection On Same Public Address?

May 26, 2012

We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved