Cisco Firewall :: ASA 8.4 NAT And Reply / Reverse Traffic

Jun 15, 2011

I've got a 5520 running 8.4(1).I've setup a simple NAT: [code] Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.What do I need to do to allow the reverse packets to get through the ASA back to the host ?

View 3 Replies


Cisco Application :: Can ACE (4710) Behave As Reverse Proxy For HTTP And SSL Traffic

Jul 12, 2011

Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.

View 2 Replies View Related

Cisco Firewall :: ASA5540 - No ICMP Reply From Inside Sub-interface

Apr 28, 2013

I need to monitor with ping the inside sub-interface of my ASA5540, is that possible? I get the ICMP requests but no replys going out from the box.
 I need to ping the from the
ASA Version 8.0(5) 
interface GigabitEthernet0/1
nameif inside


View 2 Replies View Related

Cisco Firewall :: Ping Reply Time Varies From ASA5520 To ISP Gateway

Jan 22, 2012

I have   newly deployed network. I have  two ASA5520-AIP20-k9. both connected to ISP and configured as Active/standby failover. the ASAs were working fine at first but later on, the  internet connection becomes very slow. the ping reply i am getting from  my next hop(ISP router) varies during  the peak hour is some times in 2000  msec or above but during off hours, the ping reply time is 1 and 2 msec. when I directly connect my laptop to the link that comes from the ISP its ping reply is 1msec and 2msec. I thought the ping reply of the ASA5520 to the ISP gateway should be constant and should be 1 and 2 msec regardsless of the traffic passing through the firewall.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - VPN NAT Overlap Subnets Remote Interface Does Not Reply

Jul 10, 2012

Not really a big problem, but not knowing the answer is killing me.  This is what I have:
Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2
The problem is when one of the hosts trys to reach the inside interface of the remote ASA.  E.g. Host 1 trying to ping ASA5510 inside interface.  Again Host 1 and 2 have the same subnet address of  I have configured the ASA 5505 to do the the NAT translations. 

View 3 Replies View Related

Cisco Firewall :: Reverse NAT Configuration - ASA 8.4.5

Feb 10, 2013

I have 2 data centers conencted via WAN and each has their own Internet conenction.  One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections.  The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.
So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet.  That way it is routed back to the proper firewall.  I am able to do this with the following code, but this code only works with a static one to one NAT.  I am limited in public IP addresses, so I want to NAT on a per port basis.  Each time I try to change the any any to a specific port, it fails. 
object network host-inside-int
object network host-outside-nat1


View 5 Replies View Related

Cisco Firewall :: Reverse NATing On ASA 8.2?

Jul 29, 2012

I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?

I am trying to Achieve the object below for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.

View 3 Replies View Related

Cisco Firewall :: ASA 9.0.1 - Reverse DNS Resolving

Dec 22, 2012

After upgrade to 9.0.1 from 8.4 I have problems with reverse dns resolving, like this:

named[2679]: DNS format error from resolving 82.64/ for client question section mismatch: got

Only solution I found is to disable inspect dns, which is not very good.

View 2 Replies View Related

Cisco Firewall :: ASA 8.2(5) / UDP Reverse Path Check

Jun 15, 2012

ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:

Deny UDP reverse path check from to on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network which also is the management interface and the default route for hosts in network, but has no vlan. 

1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip

2. give SPECTRA-LAN a ip address in the range?

My routing table and interface list is:

Current available interface(s):
  DATA-BACKUP     Name of interface Redundant1.10
  DMZ             Name of interface Redundant1.900
  GUEST           Name of interface Redundant1.990
  HOSTING         Name of interface Redundant1.100
  Infrastruktur   Name of interface Redundant1.20


View 3 Replies View Related

Cisco Firewall :: Reverse Port Redirection With ASA 5505?

May 16, 2013

We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example. Port 25 -> Port 25 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?

View 12 Replies View Related

Cisco Firewall :: ASA 5510 - Reverse Or Outbound NAT Redirect?

Jan 24, 2012

I have the need to do an outbound NAT redirection.  So what I mean is this.  I have a custom program that uses SSH to port 22 from a server inside the ASA firewall.  This goes out to a server on the Internet over port 22.    The ISP of the SSH server told me that they changed their SSH port from 22 to 2102.  So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102. 
so for example:

The server is at and it uses a program to initiate SSH traffic to The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 
It is a Cisco ASA 5510.   The server at does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc.  Lets pretend that was at

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - NAT Reverse Path Failure After Upgrading From 8.4(1) To 8.4(4.1)

Jul 2, 2012

After upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst inside: [code].....

All the subnets mentioned above are connected via VPN.

View 6 Replies View Related

Cisco Firewall :: ASA5520 IPsec Client Reverse Path Failure

May 4, 2011

ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside: dst DMZ2: (type 8, code 0) denied due to NAT reverse path failure
Cant seem to get around this one yet. I have a remote ASA that I can VPN into. It has 2 dmz's, outside and inside interface configured.
Inside subnet is / 24
DMZ2 is / 24 
VPN client pool is /24
I login in fine. But have no access to the DMZ2 subnet. I get the failure listed above.

View 1 Replies View Related

Cisco Firewall :: 5520 - Denied Due To NAT Reverse Path Failure - Asymmetric

Jul 4, 2012

I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5    Jul 05 2012    09:45:15    305013    monitoringsystem                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?

View 1 Replies View Related

Cisco Firewall :: 5505 / Asymmetric NAT Rules Matched For Forward And Reverse Flows?

May 6, 2013

I am new to ASA's and have just configured my 5505 out the box with an outside ( + inside ( IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network ( from the outside ( I'm getting the following error:  5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside: dst inside: (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
 interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address!interface Vlan2nameif outsidesecurity-level 0ip address!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server network obj_anysubnet network obj_net_Insidesubnet network Outside_globalhost outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list


View 8 Replies View Related

Cisco Firewall :: 5510 Asymmetric NAT Rules Matched For Forward And Reverse Flows

Jul 29, 2012

I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside: dst inside: denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config.  Why is the firewall interjecting itself and causing these issues?

View 8 Replies View Related

Cisco Firewall :: 5505 Asymmetric NAT Rules Matched For Forward And Reverse Flows

Nov 11, 2012

Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is and I can ping and access hosts on (called InfraNet).  I am now trying to allow communications between (called FD_net) to (called Inside) [code]

View 2 Replies View Related

Cisco Firewall :: ASA5550 - Implement Traffic Shaping / Policing Primarily For P2P Traffic?

Mar 10, 2011

We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.

View 1 Replies View Related

Cisco Firewall :: Traffic Limit For Internet Traffic Usig ASA 8.2

Nov 27, 2012

I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation  
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is  applied to outside interface (called internet in my case)  for incoming traffic
access-list Internet_mpc_1 extended permit ip host any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Wireless :: Want To Reply To Craigslist Ads

Oct 13, 2011

Reply to craigslist with windows outlook

View 1 Replies View Related

Can't Reply To Emails When Using Firefox

Jun 8, 2012

I can't reply to emails when I use Firefox. When I try the page locks up. Replying to emails with Safari or Entourage is not a problem.

View 1 Replies View Related

Broadband :: Reply Destination Net Unreachable?

May 12, 2012

i have my 9 computers 1 prolink modem/router h5200 and tplink switch...for 3 months my connection is quite good..but in the 4th month its starting to Reply Destination net Unreachable..i called up a technician from the network..He changed my modem/router with the same model and it runs for an hour... 5-6 hrs..the problem starts again it begins to ping Reply Destination net Unreachable...b4 my TCP/IP i configured it automatically but now i try to put it modem/router starts with my first unit starts in and so on.

View 1 Replies View Related

Network Computer Does Not Reply Back

Jan 10, 2013

I have a problem in my Computers network. We have more than hundered computers in our network. When I ping from my computer to other computers that are on the same switch. Does not show any problem. But when I ping to the computers that are on the switched which are not directly connected to the same switch but are on the other swtiches. Ping replys some times and some times it gives request timeoue.

View 1 Replies View Related

DynDns Failed - Bad Reply From Server

Feb 23, 2012

Trying to set up remote access to webcam. Signed up with for Hostname, but when I try to set up the DDNS Service Settings in the webcam firmware it continually gives 'Bad reply from server' and I'm pretty clueless when it comes to networking! As far as I can see it requires a User name and Password plus the newly acquired Hostname as shown [URL]

View 7 Replies View Related

Cisco :: 5505 VPN Failed Anti-reply Checking

Apr 4, 2013

I have many VPN sites using ASA5505 with broadband connection and terminating on a single ASA5550.I have a problem with one site. they are having poor performance. One of the issues I can see is an error on the remote ASA 5505.ive tried the reccomended fix using this command: crypto ipsec security-association replay window-size 1024.

View 1 Replies View Related

Cisco Infrastructure :: No Icmp Reply From Catalyst 2950 Switch

Nov 15, 2005

My switches is still operating but when i ping the switch, there isn't any reply. No icmp reply from catalyst 2950 switch

View 6 Replies View Related

Pinging Local Router But Receive Direct Reply From ISP?

Oct 3, 2012

Lost Internet connectivity at home. connected via dsl line to my isp.when i issued ipconfig /all command i noticed that default gateway IP addr was a global ip addr. (77.36.x.x) instead of the usual private address DHCP server had IP address 58.206.x.x when i issued ping command, i got this output: "reply from 77.36.x.x: destination host unreachable" i couldn't access my router's configuration menu by typing in web browser's address's very interesting, because i had network issues before but could access my router's config menu and ping it. but now, i cannot reach my local router but receive reply from ISP's router.

View 10 Replies View Related

Cisco WAN :: 2950 Switch Ping Timeout Or Reply Time Is Long

Oct 1, 2012

My customer has various Cisco switches but only cisco 2950 switches has the problem of ping timeout or reply time is too long(average more than 2 sec). It will cause I Network Mangement software alarm always.

View 4 Replies View Related

Cisco Switching/Routing :: 3020 / HP NIC Teaming And Not Receiving Echo Reply

Dec 4, 2011

I am working with a strange problem at the minute with HP's NIC Teaming with Transmision Load Balancing.We have a HP blade system the Server is connected to 2 cisco 3020's and then those 2 switches are connected to a 3750 Stack consisting of 2 Members.
Theres an LACP ether channel consisting of 4 Gigabit Ethernet Ports to each 3020 from the 3750 Stack.They both have exactly the same configuration and all ports are up and the channel looks healthy.
When setting the Preference order on the server if I set the NIC connected to the 1st Cisco 3020 as primary i.e. Tx/Rx then everything is fine.If I set the NIC Connected to the 2nd Cisco 3020 as primary then all seems fine i.e. I can ping it, it can access services outside its own vlan and the internet. It cannot however ping anything connected to the same subnet and VLAN on the 3750 Stack.
Doing a packet capture on a server connected to the VLAN on the 3750 stack I can see the Echo Requests coming in and the server sending an echo Reply but the echo reply never gets back to the server with the teamed NICs.
I did a Layer 2 traceroute and all looked fine, all the MAC Tables were good.I thought maybe it was a layer 2 loop causing the problems but I have checked and re-checked STP and can't find any problems. STP has picked up one intentional loop and blocked it.
I've raised a ticket with HP to see if they can point me in the right direction but I don't think it is a problem with there Drivers. It definately seems like a networking problem.

View 5 Replies View Related

Cisco Wireless :: Configuring DHCP Reply-agent On 1142N Access Point

Feb 27, 2012

configuring DHCP on access point, i have cisco 1142N access point, in my network.. working in autonomous mode, i have assigned a static ip to access point with default gateway.. from AP i'm able to reach internet and user connecting to access point are not able to get ip.. i have DHCP server in my network. how to make access point to fetch ip from my dhcp server and assign the saem to client.

View 10 Replies View Related

Servers :: Ping Locally / Reply Successful - Destination Host Unreachable

Mar 4, 2011

I am using the window server 2008 and configure tcp/ip properties correct ping locally reply successful when ping localy but when ping then reply destination host unreachable whereas gateway and dns ip is also correct configure so tell me solution about this problem because i am useing the internet.

View 1 Replies View Related

Nortel 5520 - Specific MAC Address Doesn't Receive ARP Reply From Switch

May 26, 2013

Switch is a Nortel 5520

PC is Windows 7, with Intel 82579LM adapter

When PC was first attached to network, it could not ping gateway(switch). Turns out it was broadcasting for the gateway's MAC address, but never got a response. Tonnes of testing later, if I just change one number on the MAC address of the adapter, it receives a reply from the switch and can ping the gateway.

Why doesn't the native MAC address work?

Update: Just the vendor portion is the determining factor. As long as it starts with 2C-59-E5, it will not work. 2C-58-E5 will.

Update 2: Pinging anything in the same subnet works, just pinging the gateway interface of the switch doesn't happen. Tried on multiple drops, and there are other devices on those drops.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved