Cisco Firewall :: ASA 5550 - Traffic For External IP Address Does Not Arrive
Aug 24, 2011
We have a new Cisco ASA 5550 that I am trying to configure. We are currently using a borderware firewall.
We have multiple external IP addresses and I can NAT traffic from all except for our external interface IP address.
When watching the packets in the ADSM monitor if the IP address is our external IP then I see nothing unless it is ICMP. I can ping the IP address just cannot do anything else with it.
All the rest of our provided IP addresses can be NATed and work correctly.
Traffic for our external interface IP does show up when we use the borderware firewall so we know the traffic is getting here.
View 6 Replies
ADVERTISEMENT
Nov 10, 2011
I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work?
View 6 Replies
View Related
Mar 14, 2011
We are suffering slow https traffic download. We have a CISCO ASA 5550, Cisco Adaptive Security Appliance Software Version 8.0(5)19. When we try to download some videos from an https server we have a data download rate of about 140 kbps, but if we bypass the firewall and put a laptop just after the border router, data rate increase up to 350-400 kbps.
We configured a new interface in the firewall and we connected a laptop directly to the port in the ASA 5550, with a new ACL permit ip any any, just for test purposes, but data rate is still the same, 140 kbps.
View 2 Replies
View Related
Jul 8, 2012
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 7 Replies
View Related
Jan 23, 2012
We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.
View 5 Replies
View Related
Dec 30, 2012
I am a total Cisco novice who has just had a ASA5505 installed to replace a linux freeware firewall (smoothwall).I'm told that the 5505 can't port forward traffic (e.g. ssh) from two external IP addresses to two internal destination machines via the same port # (22 in this example).
View 9 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
Mar 13, 2013
We have an ASA 5505 and are changing ISPs so we'll be getting a new static IP address. How do I change the external IP address using ASDM? (I haven't done it in 5 years so I'm rusty and just want ot make sure.) The ASA and ASDM are up to date.Am i correct in that I only need to change the external address in the configuration under Interfaces, then under Routing - Static Routes - Gateway IP I just need to enter the new WAN gateway address?
View 2 Replies
View Related
May 30, 2013
I have an old ASA 5505, and I'm having some trouble with Nat Hairpinning. I've done this with other firewalls before and I am having no luck now. I have an internal address that I wish to forward from an external address- so if someone goes to 123.456.789.012:3456 then it will forward to 192.168.1.244:92 (All numbers are arbitrary here- only for illustration). I have and Access Rule and NAT and PAT set up so that I can get in if I originate from outside the LAN. What I am trying to do is to have this work from inside the LAN as well- so that if I am at my desk, and I connect a device and type in 123.456.789.012:3456, it will deliver the content at 192.168.1.244:92. The problem I am having is that it just isn't working, and I cannot figure out why- When I started here, there was an address configured to work this way, and it still works- I just cannot find what is different between what I am doing and what the person who configured it did.
View 5 Replies
View Related
May 4, 2011
I have a couple of ASA 5505's which work fine for what they are doing VPN and all that - we have 1 DLINK DFR-700 Firewall left and I need to get a new ASA to replace this since it is old.
All this box really does is port forward external clients to 1 address on the internal lan for client software updates. Any example configs?
So lets say we have client a with IP 1.1.1.1 and client b has 2.2.2.2 - at the moment this is what happens client a and b come in through http and get mapped to the internal http server 10.10.1.2
So I need to setup about 100 clients which can come in through http only - get mapped to the internal IP and also keeping the internal server to be able to access anything outside.
View 1 Replies
View Related
Sep 10, 2012
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies
View Related
May 14, 2013
In our company we use ASA 5550 as a VPN server (failover pair, FW 8.2(5)). Long time we used Cisco VPN client (easyVPN) only and some time ago we started to use L2TP/IPsec VPN from Windows clients.From this time we can see strange behavior. Some ip addreses (we use ipv4 only) from local VPN ip pool are getting unusable for clients. When client gets this ip address the traffic from client to intranet is ok but the traffic from intranet to the client is blocked. This behavior affect both L2TP/IPsec and easyVPN clients with this ip address.The packet trace shows that the traffic will be blocked because implicit deny ACL but ACL for the connected user is created:
Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
[code].....
We use RADIUS for authentication and ACL. Failover to the standby ASA solves the problem but this terminates all L2TP/IPsec VPN connections.We use Cisco Anyconnect VPN too and when Anyconnect client gets this „strange“ ip address he can communicate normally without problems. It looks like that this problem is related to IPsec. how to discover why ASA uses -implicit deny- instead of user ACL?
View 0 Replies
View Related
Apr 6, 2011
I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies
View Related
Nov 15, 2011
How does a firewall block or filter traffic on a specific port or IP address?
View 1 Replies
View Related
Mar 3, 2011
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
View 6 Replies
View Related
Feb 22, 2013
I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.
View 2 Replies
View Related
Apr 17, 2011
I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.
View 3 Replies
View Related
Jan 18, 2010
I want to redirect internal web traffic (browsing) to an external web server for Web, Virus and Spyware filtering. Those externals proxies are running in 8080 port. I have one ASA firewall and a Cisco 2600 router. I was thinking in doing PBR in the router but in the next hop I can only set one IP, not an IP and a port. So how can I redirect web traffic to an external proxy listening in 8080 port?
View 11 Replies
View Related
Nov 16, 2011
Can the SRP547W be configured to allow traffic on port 25 from an external ip range to an internal address?
View 0 Replies
View Related
Jul 9, 2011
I have recently purchased a Linksys WAG320N (firmware V1.00.12) to replace my old ZyXEL P-660H-D1.I've managed to set it up roughly the same in terms of the ports I want open and port forwarding, with one exception: I can enable a port to be forwarded to an IP address on my network, but I can't find anywhere to set it so that the port is only allowed from a specific IP address outside of the network, e.g.
Accept port [some number] from [some Internet address] into 192.168.1.2 but reject attempts from others.I thought it might be in Access Restrictions but that only covers internal IP addresses.
View 1 Replies
View Related
May 13, 2011
I have ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?
View 7 Replies
View Related
Jan 31, 2012
we had just installed our ASA 5550 with IOS 8.0(2) a couple of week ago.
2 interfaces from each slot are being used ie 0/0 for Branch users comming via MPLS cloud , 0/1 for internal LAN users comming form Core Switch & 1/0 for Server farm LAN , 1/1 for Internet (outside)
the first 3 interface are considered inside with sec set at 100 while the 1/1 is outside with sec at 0.
Last night it suddenly started dropping all connections without any warning or any noticible log form the ASDM logging.
the connection drop would happen for 2 - 3 minutes and would work fine for the next 15 minutes or so..
after conencting the console , we found out that the IOS would suddelny go abrupt and show this display ...
TP-ASA(config)# TP-ASA(config)# TP-ASA(config)# Thread Name: Dispatch UnitPage fault: Address not mapped vector 0x0000000e edi 0x24d184b0 esi 0x0000000d ebp 0x1c6ceaf8 esp 0x1c6ceae0 ebx 0x09e965e0 edx
[Code]....
View 2 Replies
View Related
Oct 4, 2011
I have looked in the books I have (Cisco ASA, PIX and FWSM; ASA 8.0) and googled a good bit but can't seem to find any specific mention of how to do NAT exemption with v8.4. It seems NAT exemption (NAT 0 access-list) was deprecated. Using ASDM, there's no corresponding menu item for this that is obvious.
We have public addresses inside the ASA and want to allow in/outbound connections using these IP's without NAT. The ASA is a 5550.
View 7 Replies
View Related
May 23, 2012
My IP adress has always been external. About 2 years ago, after reinstalling my windows,(I am using and used before reinstalling windows7) my IP adress started to work as it wouldn't be external. I couldn't host servers and stuff like that anymore.I tried turning off firewall, few other tricks but nothing changed.When I look information about my IP adress ,most of the sites see it as external.Also, when I call my interned providers, they tell me that they see my adress as external.
Some details :
-Internet is provided by a cable (not using telephone, TV or something else from those internet dealers)
-I am alone using this internet, no one else is connected to it.
View 4 Replies
View Related
Jul 26, 2011
I use an online software host. They put print jobs into a queue and send them directly to my printer. I just got a new printer. The software host needs it's "External IP address" I have my internal IP address. I pinged the printer and got my internal IP address instead of the printer's. I am on a home wired network running through a modem and router.
View 2 Replies
View Related
Aug 19, 2012
We have a strange issue for one of our customers that recently migrated to our internet service.They are trying to vpn to an external ip address not controlled by ourselves. The issue is only on one subnet and isolated to Mac’s, PCs in the same subnet also work fine. They were able to vpn from the MACs before they migrated to our INET solution. They previously used a checkpoint FW for their outside NAT and firewall and now are using a failover pair of asa 5510s. I have packet traced out the firewall and there should be nothing blocked. UDP ports 500 and 4500 are open to the destination ips from the correct subnets. All other subnets with Windows PCs can vpn out to external ip without issue. The users in that subnet with the MACs can also browse internet fine so the routing and nat overloading is also ok
When they try to initiate a connection from the macs i can see the connection/xlate coming in from a source port of udp 4500/500 and also a destination of udp 4500/500 instead of a random source port. Just this evening we managed to get one device connected but no others. Would the fact that the source port is claiming 500 and 4500 stop the other macs using the same source ports at the same time to connect out? They are using the onboard mac vpn client, he can’t get the Cisco one working at the minute. [code]
View 1 Replies
View Related
Nov 18, 2012
We have a Router with one External IP and a couple of VLANs. We have got a Teleconferencing Unit that needs almost every port known to man to work, so decided to get the unit its own External IP.
We have the IP now and how to get it in the router and then also to use it only for the Video unit (From outside straight through to Video).
Im comfortable adding lines to the router but just don't know what the lines should be.
The new IP's purchased are 116.199.222.200/30 (Only need to use one address, lets say 116.199.222.200). No idea what the subnet mask should be...
The router config below stripped of irrelevant stuff:
interface FastEthernet0
no ip address
!
interface FastEthernet1
[Code]......
View 11 Replies
View Related
May 21, 2013
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
View 2 Replies
View Related
Mar 10, 2013
I have Active Standby ASA5550 setup with VPN premium license. A few days back we had a requirement of SSL VPN connection for and we got a temporary from Cisco for same, this license expired and the ASA reverted to it's original license. 3 4 days after this we saw a sudden increase in CPU utilization (upto 90% + -5%) on the ASA during production hours but were not able to figure out the reason, in order to restore the services we failovered the firewall to secondary and everything worked fine. We were suspecting one of the following but there were no logs for any of this
1. The ASA hardware was haivng problem
2. Some client was doing a DoS attack to bring down the ASA (no logs for this as well).
We took a downtime to look further by failovering the ASA back to primary and it worked fine without any issues ruling out the 1st option. We also came across a licesing doc [URL]
Downgrading any license (for example, going from 10 contexts to 2 contexts).
# Note If a temporary license expires, and the permanent license is a downgrade, then you do not need to immediately reload the security appliance; the next time you reload, the permanent license is restored.
As per this doc, sooner or later a restart was required on the ASA. We restarted secondary ASA and everthing was fine but when we restarted the primary ASA by swtiching over to secondary some of the server (not all) in the DMZ stopped working (even ICMP unreachable) and only came back to normal when the primary ASA was restored and working fine (with failover).
The reboot was done by shuting down the physical link between the Core switch and ASA inside individually.
I am not sure what could be the issue that the servers in the DMZ wen unreachable.
View 0 Replies
View Related
Aug 9, 2010
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies
View Related
Jun 12, 2011
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies
View Related
Apr 26, 2011
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies
View Related
May 10, 2013
i have Cisco ASA 5550 and i want to do URL filtering using Web sense,can i use Micorsoft Forefront TMG2010 as websense server to do that?
the idea is to filter the HTTP & HTTPS URLs,if the Micorsoft Forefront TMG2010 is not suitable,refer to suitable Websense URL filtering server?
View 2 Replies
View Related
