Cisco Firewall :: ASA 5550 - Acl Allowing Guest Access

Jan 26, 2012

I have an ASA 5550 at our main site with an external ethernet interface to our ISP for internet access.  I would like to allow 10.100.41.x/24 http / https access but block this network's access to all other internal networks including 172.17.x.x,,  10.100.1 - 40.x, and others.  I'm having trouble identifying what IP address to use as the desitination for the permit rule for access to the internet.  The rule that comes after the permit is to deny 10.100.41.x/24 access to internal network addresses. 

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5520 - Allowing Guest Wireless Network Access To Internal Subnets

Jan 23, 2012

We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520.  There are no routes for it to be allowed access to the internal subnets.  So it can only access the internet.  This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource.  Is that as clear as mud?
 
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require.  And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.

View 8 Replies View Related

Cisco Firewall :: Allowing FTPS Access In ASA5510

Apr 13, 2012

We had an ASA 5510 as a firewall in our environment, and there is a requirement to access an ftps server from our location. Currently from the server location they configured everything by allowing our public ip to their server and gave the following details to access ftp.Please suggest which traffic needs to be allowed in our ASA to access the ftp server address as mentioned above. From my initial analysis, it's found that 989 port is also enabled for the access, but that was not mentioned by them.

View 1 Replies View Related

Cisco Firewall :: Allowing Internet Access Only For Specific Computers On PIX 501?

Jan 8, 2012

I'm a college student working on a lab involving a Cisco PIX 501 Firewall.
 
My project involves 1 computer and a firewall. My goal is to use the firewall to allow access to the internet for that computer which uses a static IP 192.168.1.5 and ONLY for that IP address. The firewall is connected to the internet.
 
I have the computer hooked up to the firewall with the serial and using hyper terminal to enter commands. I think I need to use access lists in order to deny traffic on those ports for those particular hosts. I can't figure out exactly how I need to set it up.
 
What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.
 
I tried:
 
access-list 1 permit tcp host 192.168.1.5 any eq 80
access-group 1 in interface inside
 
I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other.

View 6 Replies View Related

Cisco Firewall :: ASA 5520 - Filter Is Not Allowing To Access Certain Websites

Aug 20, 2012

We have a Cisco ASA 5520 and Web sense.  I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:

"Firefox has detected that the server is redirecting the request for this address in a way that will never complete". 

Filter I applied on the firewall:

filter url except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
filter https except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow

View 9 Replies View Related

Cisco Firewall :: Not Able To Access ASA 5550 Through ASDM

Apr 22, 2013

We are having Cisco ASA 5550 appliance. from some days i am not able to access this ASA using ASDM. I am able to access ASA using SSH.[code]
 
At the same time standby firewall works perfectly fine with ASDM. I have tried by reloding the firewall, then it worked for 2 days & again stopped working.

View 6 Replies View Related

Cisco Firewall :: 5505 Rule For Allowing Computer Access Microsoft

Apr 24, 2012

I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall.I have included my current asa 5505 configuration. [code]

View 3 Replies View Related

Cisco Firewall ::ASA 5550 - ADSM Created Access Lists

May 9, 2012

I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.

None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:

1. Does an ADSM- created access list end with any specific ADSM- added suffix?
2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

View 4 Replies View Related

Cisco Firewall :: 5550 ASA To Host On Sl100 For Internet Access

Apr 24, 2011

I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside.  I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
 
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
 
My DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well.  Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any.  This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.

View 2 Replies View Related

Cisco Switching/Routing :: 2950 Disabling Windows Firewall / Allowing Access Through The Router

Dec 18, 2012

i bought a cisco 2950 series switch to play around with and im trying to set it up to SSH. I have google'd a bit on how to do this and i've sort of hit a wall... i have downloaded the cryptographic image from cisco's website, installed a TFTP server (think this is where my issue lies) but when i do the copy tftp flash global command i keep getting the error accessing "xxxx" message.I have tried allowing the server through windows firewall, disabling windows firewall, allowing access through the router..

View 6 Replies View Related

Cisco Firewall :: ASA 5550 / Basic NAT From Outside Remote-access IPSec VPN To Inside?

Mar 16, 2012

I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network.  I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y.  HTTPS/443 connectivity.  I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.
 
The Cisco tech entered the following static NAT statement to "fix" the problem - nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface. 
 
The y.y.y.y is on a remote, routed network within my private, corporate MPLS network.  My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x.  Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.The NAT statement above will break my network. How to NAT this connection without killing my Inside network?  Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.

View 1 Replies View Related

Cisco Firewall :: Automatic Naming / Binding Of Access Lists With ASA 5550?

May 8, 2012

I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that. I looking at the config of an ASA 5550.
 
example:
 
Interface is Production
access list is called Production_access_in.
 
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?

View 4 Replies View Related

Cisco Firewall :: ASA 5550 - Direct Access To Public IP Address From Inside Network?

Jan 23, 2012

We have ASA 5550, I have a portal server in the dmz which is natted statically to a public ip address for port 443. The application works fine from outside world. The server is also nated with a dynamic nat from inside to dmz and when I hit on the dmz ip from my inside it works fine.
 
The requirement for us is that the users sitting behind the inside (i.e. LAN) should access the server on the public ip address and not thru the dmz.

View 5 Replies View Related

Cisco Wireless :: 5508WLC Whitelist For Guest Access And Securing Guest-access?

Aug 18, 2011

Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment

View 4 Replies View Related

Cisco Firewall :: Way To Create A Guest Access Lobby On ASA 5525

Sep 23, 2012

Is there a module or way to create a Guest Access Lobby on the ASA 5525? We currenly leverage the WLC to do this for us, but are moving to a routed access enviornment which is causing some issues. We would like to offload the guest access responsibility to the ASA if possible.                   

View 1 Replies View Related

Cisco Firewall :: 2901 / ASA 5510 Guest Internet Access?

Jan 15, 2012

I have a subnet for guest network access, both wired and wireless.  We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'.  For most internal traffic, it all stays behind the ASA.  But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA.  The question is, how can I still permit those users to access our internal DNS servers?  Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.?  I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.

View 7 Replies View Related

Cisco Firewall :: ASA 5510 - Guest Network Access To Internal Webserver

Dec 18, 2012

I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver.  (DMZ discussion aside)
 
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
 
Internally clients resolve our website to 192.168.40.40 and that part works as it should.  Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
 
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1.  However it seems traffic goes out and back in our outside interface and this connection never occurs.
 
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website.  Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ?  Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?

View 3 Replies View Related

Local Access Only - Router Not Allowing Access To Internet?

May 18, 2011

Abruptly internet access disappeared. It's a router issue, none of the computers here can connect. Further, I can't access the router through a browser - 192.168.0.1 results in a "Firefox cannot connect" message. I've tried resetting the DNS to no avail. I'm typing via cell phone and it's annoying, but I'm willing to try about anything.

View 4 Replies View Related

Cisco Firewall :: 5550 Firewall Set Up For Redundant Purpose

Mar 3, 2011

i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary )   ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.

View 6 Replies View Related

Cisco Firewall :: 5550 Firewall Syslog Message

Feb 22, 2013

I have cisco 5550 Firewall, one messages appear in syslog server from Firewall, (warning) i want to stop this message from appearing syslog traps.

View 2 Replies View Related

Cisco Firewall :: Secondary ASA 5550 Firewall Getting Down Automatically?

Apr 17, 2011

I am having two ASA 5550 firewall running in active/standby mode. With in last two months our secondary firewall got down automatically 3 times. Firewall is running with IOS version 7.1.2. how to proceed further troubleshooting because there are not any logs on firewall.

View 3 Replies View Related

Cisco Firewall :: Allowing Netbios 137 / 138 Through ASA?

Sep 10, 2012

I've recently had to move an AS400 system behind an internal ASA firewall and now users are unable to browse to it.The ASA is running Version 8.2(5)? I get these messages: Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137?Is there a way to enable these ports without enabling NAT?No VPN's involved, just an inside and outside eth interfaces?

View 12 Replies View Related

Cisco Firewall :: ASA5520 Not Allowing Traceroute

Oct 31, 2011

I've got an annoying problem with my ASA 5520.I have traffic going from the inside interface (security level 100) to the outside interface (security level 0) with a global PAT applied to the outside interface address for all inside traffic - and I can't seem to traceroute through the firewall.The ruleset is simple - basically, allow any IP from inside to outside. The NAT is simple - PAT all traffic unless exempted to the IP address of the outside interface.If I do the trace from my internet edge router it works fine - so I know it's not soemthing my uplinks are filtering - but if I do it through the firewall, I get perfect responses until the hop where it hits the firewall interface - then nothing.Is there something I am missing that I need to do to allow traceroute to just work with all the rest of the traffic?

View 2 Replies View Related

Cisco Firewall :: 7100 Allowing NAT / PAT From Router Through ASA

Mar 17, 2013

I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:

View 6 Replies View Related

Cisco Firewall :: 881 Router - IOS ZBF Not Allowing IPv6

Oct 4, 2011

I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:

Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
 
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
 
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
 
Are there any special settings for ZBF which should be turned on for IPv6 protocol?

View 1 Replies View Related

Cisco Firewall :: Allowing Traffic From Inside To Outside ASA5505 7.2(3)

May 15, 2012

Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet.  The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed.  We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet.  The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult.  For now I wrote an access list to allow it's DHCP address out but it still isn't working.  The access list I wrote is:
 
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
 
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased.  When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response.  According to the manufacturer, only outbound connections are needed, no incoming ports required.  All traffic is TCP.

View 8 Replies View Related

Cisco Firewall :: ASA 5505 - Allowing Multiple Networks On DMZ?

May 22, 2011

I have 3 networks coming on DMZ (VPN) interface. Only one network is able to ping the DMZ interface. See below networks coming i on the DMZ.
 
10.132.24.0/2410.132.25.0/2410.132.26.0/24 Only the 10.132.26.0/24 netork works as it is in the same range as the DMZ interface.
 
allowing the other two networks to communicate. I've attched the diagram and configs for your perusal.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Not Allowing Incoming Traffic

Mar 15, 2012

I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  What I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]

View 7 Replies View Related

Cisco Firewall :: ASA5520 Allowing / Blocking Skype

Sep 17, 2012

I have the following: redundant ASA5520s on v8.2(1)proxy server/web filter for blocking access to websites for staff/studentsusers who want to use SkypeCisco Catalyst 4507 corea dozen VLANs for staff/student/WiFi etcCisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN Windows desktops have direct proxy settings in IE .Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
 
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?

View 2 Replies View Related

Cisco Firewall :: 2811 Not Allowing ICMP To PBX Through Same Interface

May 31, 2013

Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
 
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
 
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.

View 9 Replies View Related

D-Link DIR-655 :: Router Not Allowing Internet Access?

Jan 14, 2012

I just bought the 655, mainly for school/Xbox. My parents use it also, but I bought it for myself mainly (shh). I set it up correctly and got connected, but suddenly I wasn't allowed Internet access. The router connects to my laptop, but won't get Internet access. I called customer service and he didn't know what to do. We tried everything he knew and nothing worked. I don't want to return the router cause I read it was very good, but I need internet for school. I have Rev. A and F/W 2.00.

View 8 Replies View Related

Cisco VPN :: 5505 / Remote Access VPN Allowing Only Since Host To Connect?

Jun 12, 2011

I have created a RA VPN with a 5505 using Anyconnect client.  My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect.  To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect.  how I can limit the outside access to a single host?

View 3 Replies View Related

Cisco Application :: ACE30 Running But Not Allowing Management Access

Sep 9, 2012

We've got pairs of ACE30s in our data centers set up with active/standby FT.  Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity),We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved