C:Documents and SettingsLW>ping 10.1.1.1Pinging 10.1.1.1 with 32 bytes of data:Reply from 10.1.1.1: bytes=32 time=2ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64 Reply from 10.1.1.1: bytes=32 time=1ms TTL=64Ping statistics for 10.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
When I try to ping ipv6.xsnews.nl on either of my Windows 7 computers, it returns "Ping request could not find host". But when I do it on XP, it succeeds. I have tried putting the W7 PC in the DMZ, disabling the software firewall but it doesn't work.
What I think it involves is having ipv6 installed on each. I tried to duplicate the setup of both the XP and a W7 computer, installing the gogo6 tunnel. But apparently it's not setup on this computer because the ping result is the same as on the third computer which hasn't had ipv6 installed. s not setup on this computer because the ping result is the same as on the third computer which hasn
i have my Cisco E4200 set up with a 6rd tunnel. the tunnel seems to work fine for the most part. i can ping ipv6.google.com and get a response.however, i cannot ping the addresses of the IPv6 Tunnel ends from within my network. If i run a ping from outside the network, i can ping the IPv6 address of the server end, however, i cannot ping the E4200's end of the tunnel. is there a specific option that needs to be set? i have allowed ping so that my IPv4 address is pingable, am i missing something for IPv6?
I am trying to configure my ASA 5505 security plus through ASDM to receive two blocks of outside IPs (each of which is on a different subnet and a different gateway ip) to translate to my internal server giving it public access.I have searched for days (and maybe incorrectly) but I am finally asking for the configuration of the ASA to support this.
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
I have an ASA that is logging the message %ASA-3-321007: system is low on free memory blocks of size 2048. I ran the "show blocks" command and the "Cnt" value for the 2048 blocks is 0. How do I reclaim these blocks and what are they used for?
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
I have two complete networks in my office. I want to access my printer from both the networks. Condition: With the Firewall I can't access computer of one network from another how can I access the printer from both the LANs. I am not allowed to play with Firewall.
I am having trouble with our ASA5510. After upgrading the internal memory from 256 MB to 1 GB and upgrading the firmware to 8.4.2 we are experiencing that the ASA is running out of 1550 byte blocks. When that happens it is not possible to connect to the ASA by ADSM or SSH and new VPN IPSEC tunnels are not coming up. The only way I know how to fix this is to reload the ASA. This is happening every 2 to 3 days.
In the free blocks graph one can see that there is a loss of about 20 blocks per 10 minutes.
i cannot send emails to outside, i have an access rule on interface inside permit source: inside destination: any servic: tcp/smtp and when i make paket tracer it shows me that the packet is dropped but i cant see through which rule!!
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (https, http, smtp, rpc).
I can use the IIS, if the firewall is activated, but the exchange Server can not receive any emails. I have also created some firewall access rules for the mentioned services but without success.
I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. [code]
I have a problem after upgrading the ASA5505 unlimited to 8.4.1, the message shown after startup is:IO memory blocks requested from bigphys 32bit: 9672 It has 512 Mb of ram and this is the view from sh ver:
Cisco Adaptive Security Appliance Software Version 8.4(1) Device Manager Version 6.4(1) Compiled on Mon 31-Jan-11 02:11 by builders System image file is "disk0:/asa841-k8.bin" Config file at boot was "startup-config"
I have a Cisco RV042 Wired Router. I've got a static IP and a MS Small Business Server in my Router Network. I have forwarded the essential ports to use the IIS and the Exchange Server of my SBS2011 (HTTPS, HTTP, smtp, rpc). I have also created some access rules for these ports, but I don't have any access on my server services, if the firewall is activated.
Here are my Firewall Access Rules from the RV042 Web Interface:
I could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server.
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone: LAN --> WAN zone security LAN zone security WAN ! class-map type inspect match-any Internet-cmap match protocol dns match protocol http match protocol https [ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
i have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?
My VPN users are able to access IPV4 resources, but not IPV6, all of my other user who are not VPN users are able to access everything V4 and V6. So my network goes:
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1. interface GigabitEthernet0/1.40 vlan 40 nameif test
At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
Would like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.
I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .
Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!! None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.
For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
