I've got a 5520 running 8.4(1).I've setup a simple NAT: [code] Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.What do I need to do to allow the reverse packets to get through the ASA back to the host ?
I have newly deployed network. I have two ASA5520-AIP20-k9. both connected to ISP and configured as Active/standby failover. the ASAs were working fine at first but later on, the internet connection becomes very slow. the ping reply i am getting from my next hop(ISP router) varies during the peak hour is some times in 2000 msec or above but during off hours, the ping reply time is 1 and 2 msec. when I directly connect my laptop to the link that comes from the ISP its ping reply is 1msec and 2msec. I thought the ping reply of the ASA5520 to the ISP gateway should be constant and should be 1 and 2 msec regardsless of the traffic passing through the firewall.
The problem is when one of the hosts trys to reach the inside interface of the remote ASA. E.g. Host 1 trying to ping ASA5510 inside interface. Again Host 1 and 2 have the same subnet address of 10.1.1.0/24. I have configured the ASA 5505 to do the the NAT translations.
I have 2 data centers conencted via WAN and each has their own Internet conenction. One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections. The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.
So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet. That way it is routed back to the proper firewall. I am able to do this with the following code, but this code only works with a static one to one NAT. I am limited in public IP addresses, so I want to NAT on a per port basis. Each time I try to change the any any to a specific port, it fails.
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s): DATA-BACKUP Name of interface Redundant1.10 DMZ Name of interface Redundant1.900 GUEST Name of interface Redundant1.990 HOSTING Name of interface Redundant1.100 Infrastruktur Name of interface Redundant1.20
I have the need to do an outbound NAT redirection. So what I mean is this. I have a custom program that uses SSH to port 22 from a server inside the ASA firewall. This goes out to a server on the Internet over port 22. The ISP of the SSH server told me that they changed their SSH port from 22 to 2102. So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102.
so for example:
The server is at 192.168.0.2 and it uses a program to initiate SSH traffic to 184.108.40.206. The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 220.127.116.11.
It is a Cisco ASA 5510. The server at 192.168.0.2 does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc. Lets pretend that was at 18.104.22.168.
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error: 5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 10.10.1.7 255.255.255.0!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 10.10.1.1object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_net_Insidesubnet 192.168.1.0 255.255.255.0object network Outside_globalhost 10.10.1.6access-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside) [code]
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
i have my 9 computers 1 prolink modem/router h5200 and tplink switch...for 3 months my connection is quite good..but in the 4th month its starting to Reply 192.168.1.1 Destination net Unreachable..i called up a technician from the network..He changed my modem/router with the same model and it runs for an hour... 5-6 hrs..the problem starts again it begins to ping Reply 192.168.1.1 Destination net Unreachable...b4 my TCP/IP i configured it automatically but now i try to put it manually...my modem/router starts with 192.168.1.1 my first unit starts in 192.168.1.2 and so on.
I have a problem in my Computers network. We have more than hundered computers in our network. When I ping from my computer to other computers that are on the same switch. Does not show any problem. But when I ping to the computers that are on the switched which are not directly connected to the same switch but are on the other swtiches. Ping replys some times and some times it gives request timeoue.
Trying to set up remote access to webcam. Signed up with dyndns.org for Hostname, but when I try to set up the DDNS Service Settings in the webcam firmware it continually gives 'Bad reply from server' and I'm pretty clueless when it comes to networking! As far as I can see it requires a User name and Password plus the newly acquired Hostname as shown [URL]
I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.ive tried the reccomended fix using this command: crypto ipsec security-association replay window-size 1024.
Lost Internet connectivity at home. connected via dsl line to my isp.when i issued ipconfig /all command i noticed that default gateway IP addr was a global ip addr. (77.36.x.x) instead of the usual private address 192.168.1.1. DHCP server had IP address 58.206.x.x when i issued ping 192.168.1.1 command, i got this output: "reply from 77.36.x.x: destination host unreachable" i couldn't access my router's configuration menu by typing 192.168.1.1 in web browser's address field.it's very interesting, because i had network issues before but could access my router's config menu and ping it. but now, i cannot reach my local router but receive reply from ISP's router.
My customer has various Cisco switches but only cisco 2950 switches has the problem of ping timeout or reply time is too long(average more than 2 sec). It will cause I Network Mangement software alarm always.
I am working with a strange problem at the minute with HP's NIC Teaming with Transmision Load Balancing.We have a HP blade system the Server is connected to 2 cisco 3020's and then those 2 switches are connected to a 3750 Stack consisting of 2 Members.
Theres an LACP ether channel consisting of 4 Gigabit Ethernet Ports to each 3020 from the 3750 Stack.They both have exactly the same configuration and all ports are up and the channel looks healthy.
When setting the Preference order on the server if I set the NIC connected to the 1st Cisco 3020 as primary i.e. Tx/Rx then everything is fine.If I set the NIC Connected to the 2nd Cisco 3020 as primary then all seems fine i.e. I can ping it, it can access services outside its own vlan and the internet. It cannot however ping anything connected to the same subnet and VLAN on the 3750 Stack.
Doing a packet capture on a server connected to the VLAN on the 3750 stack I can see the Echo Requests coming in and the server sending an echo Reply but the echo reply never gets back to the server with the teamed NICs.
I did a Layer 2 traceroute and all looked fine, all the MAC Tables were good.I thought maybe it was a layer 2 loop causing the problems but I have checked and re-checked STP and can't find any problems. STP has picked up one intentional loop and blocked it.
I've raised a ticket with HP to see if they can point me in the right direction but I don't think it is a problem with there Drivers. It definately seems like a networking problem.
configuring DHCP on access point, i have cisco 1142N access point, in my network.. working in autonomous mode, i have assigned a static ip to access point with default gateway.. from AP i'm able to reach internet and user connecting to access point are not able to get ip.. i have DHCP server in my network. how to make access point to fetch ip from my dhcp server and assign the saem to client.
I am using the window server 2008 and configure tcp/ip properties correct ping locally reply successful when ping localy but when ping yahoo.com then reply destination host unreachable whereas gateway and dns ip is also correct configure so tell me solution about this problem because i am useing the internet.
When PC was first attached to network, it could not ping gateway(switch). Turns out it was broadcasting for the gateway's MAC address, but never got a response. Tonnes of testing later, if I just change one number on the MAC address of the adapter, it receives a reply from the switch and can ping the gateway.
Why doesn't the native MAC address work?
Update: Just the vendor portion is the determining factor. As long as it starts with 2C-59-E5, it will not work. 2C-58-E5 will.
Update 2: Pinging anything in the same subnet works, just pinging the gateway interface of the switch doesn't happen. Tried on multiple drops, and there are other devices on those drops.