Cisco Firewall :: ASA 8.4.3 - Does It Check DNS Source IP Address
Oct 29, 2012
Does ASA 8.4.3 check the source IP address of a DNS reply and drop it if the reply address is different to that in the query?
Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.
Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
I have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
How do I check IP address of others, when in chatting or playing online game, I could only know that he is Mr. X from YZA country which appears on Screen, But I also know he is using with wrong name and wrong Country name.I would to check his IP as well as his Place?
I've configured the ACE4710 to bring the logging to a syslog server! Here's the configuration
[...] logging enable logging fastpath
[Code]....
I saw to log with connection on the syslog server but It would be interesting to know the "source ip address" and my question is : It may be possible to configure for the logging a kind of "transparent pass through"?
i would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.
I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0). On the inside the router has 192.168.0.253/24 as IP address, the outside is negotiated with the ISP
My mailserver has the ip address of 192.168.0.1 but with default gateway of 192.168.0.254 (primary internet connection). If I use plain NAT (ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 80) the packets arriving on the mailserver do have a public IP address as source address.
Would it be possible to rewrite those packets (source address) so they have 192.168.0.253 as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router.
Was the op's problem sorted? I'm interested as I have exactly the same problem with my Panasonic VT50. I haven't changed anything but it connected fine earlier this morning and now stops at "check acquired IP address". I'm then told that the TV cannot acquire IP address. I'm not a very technical person so I don't really understand all this network business. All I know is that sometimes the TV will connect without a problem, as it did all last week, and then for no apparent reason, it just won't.
One of our Cat5513 has been displaying a lot of the error message below:
%SYS-4-P2_WARN: 8/Invalid traffic from multicast source address 01:00:5a:52:4c:4d on port 8/58
The frequency of this is quite disturbing. What this error is about? Module no.8 is our Gigabit Ethernet WS-X5410. Can that multicast address be mapped to an IP address or unicast mac-addresS? How can i go about resolving this?
Charter tech came today to solve my problem of my new modem not working, he fixed the Modem but i think he did something to the lan proxy settings after.I'm trying to set up my Belkin wireless G router but i do not have the orginal CD. What should my address be under the "Use a Proxy server for your LAN" checkbox and what is the port and should i check off the bypass proxy server for local address box?
Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports.
Issue I am having with a Cisco 4507? Below is the error i am receiving.
Feb 14 10:06:09 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 508 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112 Feb 14 18:44:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 119 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112 Feb 15 00:51:06 EST: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 366 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Po10 in vlan 112
There is a unicast flood on 3750 killing slow modem links. How to determine source MAC address of flooder? Is there a rate limit feature for it?
I know how to block it completely on port-level, but it breaks normal network operation. (when port goes down for some reason, it's learned MACs got flushed and since other hosts know MACs, they keep flooding untill their arp caches expire).
I have a Belkin N150 wireless router. I have enabled MAC Address Filtering as an added level of security. However; whenever I access the router, and if I check that page; the check mark for the option to enable the filter is always blank.
I have checked the option, clicked Apply Changes, and logged out of the router. i went back in this morning, to check the security logs. (Looking like someone is trying to jump on my network) I didn't see anything there, but when I checked MAC Address Filtering; there was no check mark indicating that the filter was turned on.
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
I need to check and possibly change which Network address is allowed down a tunnel and check our Phase 2 IPSEC proposal. How would I do this on a VPN3000?
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54 2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address 3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall. The traffic flow will be Partner A company users will be accessing my company's Citrix server. I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server. The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25. So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements. I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form. What I do need is NAT portion of the configuration.
{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's} 10.100.12.103 68.108.244.25
My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:
global (inside) 9 interface nat (outside) 9 access-list PartnerA_source_nat
i know in Cisco PIX til 8.2 OS, if i have Nat control disabled and ACL permitting connection from Low Secirity ( DMZ ) to High Secuurity (INSIDE) then connectino should be successful, and i dont need any STATIC identity nat of inside IP to be created.
But i have Cisco PIX 525 with Version 7.2(2) Which is not allowing connection from DMZ to INSIDE , although nat control is disabled. and giving RFP check failure, any thought?
PIT525PIXINET# sh running-config nat-control no nat-cont
I am running a Cisco ASA 5550 in active/standby mode. We are currently running ASA OS v8.2(3)5. I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface. Does the ASA have a feature/ACL syntax that supports this?
The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s): DATA-BACKUP Name of interface Redundant1.10 DMZ Name of interface Redundant1.900 GUEST Name of interface Redundant1.990 HOSTING Name of interface Redundant1.100 Infrastruktur Name of interface Redundant1.20
I've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22 Inside Interface IP: 10.104.36.4 Mask:255.255.255.0 DMZ IP: 10.100.20.1 Mask:255.255.255.0 SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable logging list email-alerts message 106100 logging mail email-alerts logging from-address ASA@xyz.com logging recipient-address tgw@xyz.com level debugging
I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
i allowed one of internal ip using static nat and public ip is 203.18.137.22 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 203.18.137.22? I have the cisco 5520 asa firewall.