Cisco Firewall :: ASA 6.1 Deny IP Spoof From (global) To (Static NAT) On Outside Interface
Jun 2, 2013
I'm receiving an error when trying to access a web server behind from one subinterface to another subinterface on an ASA access the public IP. I'm getting the following:
Global Static NAT Deny IP spoof from (61.X.X.X) to 201.X.X.X on interface Outside
Traffic dies at the firewall stating that the traffic is spoofed from the Global address (61.) to the static (201.) address. Both bound to the outside interface. When I create a static NAT on the firewall there is no problem; however when I'm patting against the firewall to the public IP I get the denies.
I'm trying to attach tacacs server (ACS Version 5.2) in server group on ASA 5520 (Version 8.4). When I test connection in ASDM (Version 6.4) between ASA and ACS it fails. The log message on ASA is:
%ASA-2-106016: Deny IP spoof from (10.8.27.126) to 10.8.48.10 on interface inside.
I am having issues getting this to work. For email, I have mail.xxx.xxx DNS'd to 165.165.165.165. I want it to come in to 10.1.0.31. It needs to go out a cluster of 10.1.0.31, 10.1.0.34, or 10.101.201.31 but look like it came from the 165.165.165.165 address. I have set up static NAT for the inbound. I have set up the global PAT with an ACL group of the 10.xxx addresses. I have set this same method up on an ASA with no issues but it doesn't want to work on the PIX 6.3. What am I missing?
no fixup protocol smtp 25 object-group service NewExchange tcp port-object eq https port-object eq smtp [Code] ....
I have ASA 5550, i create 2 context in my ASA 5550. I create a NAT in context A and context B. But when i create NAT in context B i get another i get error message like this "static overlaps with global in another context". I have checked there is same nat translation in context A and context B. My question is : is same nat translation configuration not allowed in context A and context B"
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0 description New 6mb circuit speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
Verifying the operation of the ASA when configured with Global access rules. Does the global rule overide the interface security levels? According to the ASA order of operations, the interface specific rule get's processed first and then the global rules, but It does not say anything about interface security levels. Observing an ASA in production that has global rules configured I see that an interface with a security level of 50 that has no rules applied to it, passing traffic to the outside interface (security level 0) drops the traffic. Syslog shows that it hits the global access rule implicit deny. Does the implicit permit any to any less secure interface not apply?
I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.
So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.
I have inherited an ASA 5520. In doing some auditing of the setup, I have noticed a Static Route that has the inside interface of the ASA as the Gateway IP. I am trying to understand the purpose of this route or why a route would be setup this way.
Example Static Route: Inside 10.xx.31.0 255.255.255.0 10.xx.xx.10 (10.xx.xx.10 is the inside interface of ASA)
I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside e0/1 = inside m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
I have a asa 5520 with an outside and backup interface. I am trying to configure two static nat statements from the inside to the outside and backup interface. Here is what I have configured so far.
nat (inside) 1 10.1.1.0 255.255.255.0 global (outside) 100.1.1.1 nat control is turned off.
By my understanding any traffic from the inside to outside interface will be PATted to 100.1.1.1. However, communications between inside and the DMZ will not be PATted, and should work with no problems.This seems to be corroborated by this document: [URL]Which states:"The adaptive security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues."EDIT: I may have misunderstood the above statement.I found this guide to configuring NAT/PAT: [URL]It states:"When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected."My problem is that packet tracer does not seem to bear me out. It tells me the packet is dropped due to "no matching global" when I source traffic from the inside interface and send it to the DMZ.
We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )
Note: I have changed the actually public IP to 1.1.1.1 for some security cause.
Log..
Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:19 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:20 124.153.100.44 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1Mar 18 21:46:21 124.153.100.44 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 1.1.1.1(code)
I got a Global Implicit Rule problem with my Cisco ASA 5510. Here's my configuration : url...I created a PAT translation so that my web server (group LAN Network) could be accessed from the Internet.Although every rule seems to be ok, i got a "tcp deny access" when i try to telnet my public IP on port 80 (ping is ok).
Why is there only one Global Implicit Rule, and not one for each Interface (like in the older versions of ASA OS) ?
My syslog is full of %ASA-4-106023: Deny tcp src outside:---- by access-group "inbound-acl" messages. I did not configure an explict deny for the access list to log these denies.how I can disable logging of denied connections?
I used the ASA 5510 and in these days, facing the problem is internet is very slow. When i check in real-time log viewer debugging, i found the following logs 6|Jun 29 2011|15:47:53|106015|123.123.123.123|416|111.222.111.222|80|Deny TCP (no connection) from 123.123.123.123/416 to 111.222.111.222/80 flags ACK on interface Inside 4|Jun 29 2011|15:47:53|106023|123.123.123.123|852|111.222.111.222|80|Deny tcp src Inside:123.123.123.123/852 dst Outside: 111.222.111.222/80 by access-group "Internal_access_in" [0x0, 0x0] a lot of log message are come out and I notice that 111.222.111.222 ip is try to attack my network. In that moment, my network is very slow and nearly to be down. When I block with that ip by access list, network is up again. But after a few moment, attack from other ip, it's so terrible and so tired to block a lot of ip by acl.
I have found this in documentation (the same statement for version 8.3 and 8.4):
" Access Control Implicit Deny #All access lists (except Extended access lists) have an implicit deny statement at the end, so unless you explicitly permit traffic to pass, it will be denied. For example, if you want to allow all users to access a network through the ASA except for one or more particular addresses, then you need to deny those particular addresses and then permit all others. "
Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features [URL]
So I was doing some testing with my BB Playbook where I wanted to see what outside connections it tried to make during startup and whatnot. I have a pix 506e running 6.3(5). I created an simple 'deny ip any any' access list on the inside interface so that the Playbook doesn't actually make any connections, but I set up a 'capture' on the inside interface accepting 'ip any any' to see what kind of traffic I could see heading outbound from the Playbook. Well, it started off showing attempts to query DNS (and failed, naturally), but then after a couple of minutes, it tried to connect to a couple of IPs over port 443 and actually got a response!!! For the life of me, I can't figure out how this can happen. NO traffic should be allowed outbound due to my explicit 'deny' rule, but for some reason some traffic on port 443 made it past the firewall and got a response back. There are no other rules in the access list except the 'deny' rule. My PIX configuration is quite simple and I cannot see anything that would allow the Playbook traffic to circumvent the access list.
I've come to think that either RIM has found away around Cisco access-lists, or there is a bug in the Pix OS. I know it's an old appliance/OS, but still. I wouldn't think it could be THAT easy to bypass the firewall.
We're currently PATing everything from a particular subnet to the IP of an outside interface using our ASA5585 (dynamic PAT). We're experiencing pool exhaustion and therefore need to expand the global IP range. Any way of cutting over to the new range without dropping existing connections? For clarity, the current interface address is x.x.x.37/22 and the new PAT pool is x.x.x.114-6/22.
Got an ASA5520 running V8.2(3) and we want to upgrade our internet bandwidth. Our ISP says OK but we need to install different physical circuit, upgrade CPE router, etc.
Then they say, btw your globally allocated IPs will change - this is a problem as we have Site-to-Site VPN Tunnels, IPSEC RA, etc.
ISP are proposing to give us a 3 month period whereby old & new IP blocks will be routed to our ASA (by means of secondary IP address on their Cisco CPE).
Multiple IPs on the same physical i/f on the ASA require sub-interfaces/IP Addresses/VLAN ids on my "outside" i/f.
Is this going to horiibly break Site-to-Site VPN Tunnesl, IPSEC remote access ?
Will VLANs work at all with IPSEC on the "oustide" i/f at all ?
I have created a site to site VPN between two networks. the 192.168.1.0 and the 10.0.0.0.What I want is the 10 to connect via ftp to 192.The VPN is working well, I can ping etc but when the 10 is trying to connect to the 192 it get a connection refused.The same if he tries to telnet to port 21.
It's a passive ftp that uses the ports 20,21 for connection and data and the range from 12000 to 12100 for the passive mode.I have added a rule in the access list for these ports to allow the traffic between those two ip addresses.The 192 can successfully connect via ftp to the 10.
The problem is not on the server config because it has a public interface too and you can succesfully login from there.So the problem must be on the Cisco in front of the 192. For a reason I don't know it blocks the traffic.I did a packet trace on the ASDM and I got an IPSEC spoof detected.
Does having the following configuration on an ios device present any possibility that an egress stream PAT'ed to loopback gets source port translated to the statically nat'ed port? [code]
For example, egress private ip address getting pat'ed to the loopback, eventually will have its source port translated to the '7062' in this case. How does the IOS route the return packet vs a new stream hitting the y.y.y.y on the same port?
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External allow ip any any allow tcp any any allow udp any any default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
configure my cisco 892 router want a static ip address assigned to the interface because and I have no more internet on the router because am working on my network academy for CCENT?
we have a cisco ASA 5505 and are trying to get the following working:
vpn client (ip 192.168.75.5) - connected to Cisco ASA 5505
the client gets a specific route for an internet address (79.143.218.35 255.255.255.255 192.168.75.1 192.168.75.5 100) when i try to access the url from the client i get a syn sent with netstat when i try the packet tracer from the ASA i see the following:
I need urgent support on creating SSID as layer 2.We have cisco WLC2504 and 1602i access point. In our network we have in gate for guest.I want to create one ssid and bind with vlan only. We can not creat interface on WLC b/c of static IP.
I am trying to assign static ip address on vlan 1 interface , the model no of switch is SG300 & the firmware version is 1.1.2.0 .But whenever I type the IP address & press enter , a question is popped up asking for confirmation (switch0d851f(config-if)#ip address 1.1.1.1 255.0.0.0.
Please ensure that the port through which the device is managed has the proper settings and is a member of the new management interface.Would you like to apply this new configuration? (Y/N)[N] N )
