Cisco Firewall :: ASA DNS Modification Is Not Working On 8.4(3)?
Jul 22, 2012
I have a server (172.16.10.1) inside the LAN and IP of the server has been maped to public IP 41.219.130.10.
Topology
Server(172.16.10.1)
DNS Server (8.8.8.8) ----- Outside ASA Inside ----------- |
User (192.168.1.x)
Users are using Public DNS Server to resolve the domain. In this case, users will resolve the server domain to public IP address 41.219.130.10 instead of 172.16.10.1 that cause the server is unreachable for the users by default.So I enable DNS modification feature on ASA. DNS keyword has been add to static NAT clause. ASA suppose to modify the DNS record to change the public IP to private IP address. But it is not working.
access-list inside_acl extended permit udp any host 8.8.8.8 eq 53
access-list outside_acl extended permit tcp any host 41.219.130.10
access-group inside_acl in interface inside
access-group inside_acl in interface outside
I have an RVS4000 running V2.0.2.7 firmware that gives me an "Invalid Character(s) Found" error message when I try to edit an existing ACL.
I'm trying to deploy 57 of these routers and would like to be able to use a pre-built config dropped onto each router.
I initially planned on editing the exported config with a find&replace for my local LAN addresses. Since that didn't work the next reasonable solution would be to edit the ACL list (much more tedious, but still better than hand-entering every ACL on all 57 devices).
when this bug will be addressed? Alternatively, if there is an offline configuration editing tool I would be one happy camper to have it!
Whenever I make a change to the tcp/ip settings in control panel (change dns, change ip), after clicking OK, my LAN connection turns to unidentified network. even after i change back to the default settings, i still can't back the connection. this not only happen when i change settings on the tcp/ip, after i install antivirus, vmware, i get yellow excalamation mark on the network icon in taskbar means no internet access. it seems that whatever changed made to the network, internet settings, it blocked the connections. how to get the connection back?
We have a cisco services contract with IBM that supplies us access to the usb drivers, firmwares etc, and we have a Cisco 5508 6.x running ~30 Cisco 1252's, some 1231's and (potentially) some 1262's once the firmware update is done.
We have a base-count license(permanent) of 50AP's, no expiry
So I guess my questions are:
1) When flashing the new firmware - do the licenses require any sort of modification, or will they work as per normal
2) Are any serial numbers or codes required to be entered once the 7.0.98 firmware is installed?
3) I assume that the old firmware/config becomes 2nd in line to the primary boot option of the firmware during boot process?
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
I found the link that effectively said PIX/ASA 7.x does not support FTP with TLS/SSL (FTP/FTPS). I can't find anything which states whether it works on a later release? We have 8.2(1) and we are struggling to implement it. The FTP/FTPS server is in the DMZ and is hosted by Windows 2008 IIS 7.5. How to get this solution implemented, as the contractor from our local Cisco vendor spent 3 hours on it and couldn't get it working this morning.
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser. In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages AAA Marking LDAP server in group as FAILED AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
I recently acquired a used ASA 5505 and have encountered issues with getting the PoE output on Ports 6 & 7 working. Theese two PoE ports are behaving like all the other ports (100mbit, Vlan 1). Per the best I could Google, I made sure the all relevant ports are set to "auto" for duplex and link speed. Again, the ports do work for data - just not PoE. The LEDs light up ok.
I've tested four different working devices that can be powered off PoE with it, and all failed to power up using a straight-thru Ethernet cable connected to ports 6 & 7.
I have recently upgraded ASA to 8.4 and found that ASDM is not working on it. I tried the latest ASDM version 7.1 still no luck. When I try to access ASA using IE...it just shows " Page can not be displayed "
We recently upgraded our ASA to 8.3, most everything went ok, but I am having problems with outgoing nat. It seems that when one our systems that needs to be natted to an outside IP address when connecting out is not doing it. When that system goes out the ip address is our internet IP and not the natted address, however, inbound everything works.
We have one rule that does PAT
nat (INSIDE,OUTSIDE) source dynamic OG_IP_NAT_DMZ obj-1.1.1.1This is the natting statement that should be translating the addressesobject network obj-10.200.0.10 nat (INSIDE,OUTSIDE) static 2.2.2.2I think I need to double nat, is that right if so how?
While connecting from outside through Putty i am not able to authenticate the password.
Aftter entering user name as pix its asking password. After entering its not authenticating.
I taken output by telnetting to inside after connecting to the firewall from outside and entering username as pix
PM-ASA-5510# sh ssh sessions SID Client IP Version Mode Encryption Hmac State Username1 122.169.252.112 2.0 IN aes256-cbc sha1 KeysExchanged pix OUT aes256-cbc sha1 KeysExchanged pixSPM-ASA-5510#
Our NOC is trying to configure a site to site tunnel to one of our customers. The tunnel is up and operational, however we can't get our NAT rules to match what we want.
We are running ASA version 8.4(3)
The traffic is sourced from 172.16.1.50 (inside1) and destined to192.168.2.9 (outside), the nat configuration is posted below:
NOC-ASA5510-01# show run nat nat (inside1,inside2) source static ng-noc-networks ng-noc-networks destination static ng-inside2-networks ng-inside2-networks nat (inside1,outside) source static test test-EXT destination static otherside otherside object network obj_any nat (inside1,outside) dynamic interface dns object network servers-noc nat (inside1,outside) static 192.168.1.68
Here is the output from the show nat detailed:
NOC-ASA5510-01# show nat detail Manual NAT Policies (Section 1) I left off entry 1 but it doesnt have any translated hits either
I've got an ASA 5510 running 8.4.I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working. [code] I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
I've been struggling to get ASDM (PDM) installed and running on my PIX 515e. The PIX IOS version is 7.2.4(30) The ASDM version I've copied to flash is 524.
I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http. When I try to connect via http, my PIX shows the following error: "tcp access denied by acl from..." I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.
Here's my running config (w/ the relevant statements prepended with ">>>"):
Just upped our external ASA-5540 pair to 8.4(1), and now one of our nat's is busted.
Here's the lowdown:
Our public IP for our IronPorts ends in .167. That IP is natted to a VIP on our ACE, which load balances to the IronPorts.
The outside interface of the ASA uses .162, which has been the pat for all outbound traffic for a few years... except for the subnet that houses the IronPorts. Due to reverse lookup, that subnet uses the .167 IP address for all outbound traffic.
After the code upgrade, the nat won't work. No email sent or received. Nothing but Deny's on the ASA with flags reading either "SYN" or "RST". IE: Apr 27 12:56:11 10.22.151.41 local5.crit %ASA-2-106001: Inbound TCP connection denied from 69.25.174.17/36917 to 207.236.211.167/25 flags SYN on interface outside
If I return the subnet pat back to the outside interface, then inbound traffic works fine, though reverse lookup fails and anyone running a reasonable spam filter won't send to us.
i have 2 internal server sitting in inside interface
inside network vlan 1 ip address 192.168.0.20, and 192.168.0.22
i going to map 192.168.0.20 to public ip routable address 203.117.124.180 and 192.168.0.22 to public ip routable address 203.117.124.181
the purpose is to make those 2 server 192.168.0.20, and .22 to be able to access remotely using public routable ip address,
however, after done the configuration i still not able to ping or access the public IP Address mention above. my both server are turn on and can access internally.both server are also able to access internet. See below partial configuration retrieve from Show Run.
I am trying to get a Cisco ASA5505 to get onto the internet using PPPOE through a Netgear DG384 ADSL router. I have the Netgear in Modem only mode - if you put it in Router mode internet access works fine. When I change it to Modem mode, the error I get on the ASA is PADI timeout. Looking through the config I think I am missing a Global NAT??Also not 100% on the best way to set the IP - we have a static IP from the ISP. Do you set the interface to use DHCP and get this address or set it statically? Then do you put the setroute option or put in a static? [code]
I implemented a ASA5510 with latest software version. I configured outside interface, default route, PAT to the outside interface. I am able to ping and telnet to the inside interface of the ASA.But internet is not working.Did i miss any configuration?i enabled icmp to outside,. i did a ping to the next hop from ASA. but it is not working.
I'm trying to get a new 5505 installed in our network to replace the 1841 that died over the past few days (memory issues). One of the big pieces of functionality that the old router gave us was the ability to open certain ports to the outside world to let clients see web sites we were working on for them or let employees RDP in to their work machines. I'm having trouble getting that working properly with the new device.
After a lot of trial and error, I finally got some ports working, but only for some IP addresses. In theory, Comcast (our ISP) is routing 13 IP addresses to our device (a.b.c.177 through 189). For historical reasons, the external IP of the device is .178. Only those NAT entries for .177, .178 and .179 are currently working. I've attached the configuration of the ASA, as well as the configuration of the old 1841. As far as I know, Comcast's equipment is doing its job, so I don't have a lot of reason to question that end of it. And it was working with the 1841 in place before its untimely demise.
One note - I am also having trouble getting the VPNs working, so they are a work in progress. That will account for some of the differences in the configs.
I have configured a Cisco router. I am able to ping google from rotuer. I can ping my local IP from router and router local IP to my machine. But I can not access internet on machine. I can not ping google and any other IP out of network.
there is an issue with tracroute from ASA 5505 with 9.0(2) - here is the running configuration [code] with this running configuration - from the LAN tracerouet to public IP, it is working fine. but once I traceroute from the LAN 192.168.225.x to the corporate networks via the IPSec l2l tunnel - it does not show any hop at all - even the inside interface of the ASA does not show in the traceroute.
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: ftp, packet 0, drop 0, reset-drop 0
I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*. I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
version 8.2.(5) model ASA5520
I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?
I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working.
I am trying to set up a SLA statement on an ASA 5505 version 8.2(5). When I enter the command "sla monitor schedule 1 life forever start-time now" I get a message stating "%Entry not configured."
