I have a AD server that needs to access to servers at a company out on the web. it an asa the protocol is ldap
AD server 10.12.1.56 / 24
External servers 206.123.45.122, 174.87.96.143
ASA configuration
access-list outside permit tcp host 206.123.45.122 host 10.12.1.56 eq 389
access-list outside permit tcp host 174.87.96.143 host 10.12.1.56 eq 380
I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.
The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.
On the Cisco VPN client I can see lots of sent packets but none received.
I think it could be to do with the NAT but from the examples I have seen I believe it should work.
I have attached the complete running-config, as I could well have missed something.
FWBKH(config)# show running-config
: Saved
:
ASA Version 8.2(2)
[Code].....
we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
View 2 Replies View RelatedBasically we have 5 users in one of our offices and the internet works completely fine.However we cannot access the company Intranet. We receive 'The page cannot be displayed'.I have no idea why because all other sites work okay!Note: The Intranet can be accesed from home and libraries as I have checked aswel as 2 offices we have, everything works fine.It's just the one office and everything else works fine.
View 2 Replies View RelatedI am trying to set up an ASA5550 so that I can access the servers behind it. Simple.
As of now, I am unable to even create an access-list to allow traffic from my remote IP into the firewall. As far as my level of experience with Cisco firewalls, it's basically zero but I have taken the Cisco CCNAX class and feel that I have a good understanding of the fundamentals. That said, we only dealt with routers and switches, and it's not impossible that I'm missing something that would be totally obvious to most folks on this board. I've used CLI and ASDM with no success.
Here are the relevant parts of the config:
[code]...
We have;
3 - 5508WLC
1 - 4402 WLC
Cisco Prime 1.3
25 - 3502i
We have 25 remote sites that use MPLS back to the company HQ that has one connection to the internet.Also at the HQ we have a seperate ISP connection.The remote sites and HQ have AP's which provide internal company access. We would like to have a seperate Guest WLAN at these remote sites to provide access to the ISP connection at the HQ's. Do we need to have an anchor controller? From documentation I have been reading it looks like anchor controllers are mostly used for networks that have a single connection to the internet and they use the FW to control/ secure the guest and company network from each other. Is there a differnt way of seperating the guest wireless and company wireless network securely from each other but use the same WLC's and AP's??
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. [URL]) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuration or the firewall itself is not letting my requests through. The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
[Code] .....
I have configured the ASA 5505 for internet access and outside users to use two servers in the DMZ. Every thing is working fine. When I was configure VPN, I did some mistake I guess, now inside users are not able to access internet. They get an error 405. Thats an error. The request method XXX is inappropriate for the URL /. Thats all we know. Even I am not able to access the server in the DMZ from outside and I get an error : Bad Request - Invalid HeaderThese things just happend after I did some thing on the ASA. I copy and pasted the my old configuration but still insider users are not able to connect to internet and from outside I am not ableto connect to server. The weired thing is that I can user VPN with out any issues. I can connect to vpn but I cant access any internal resources. Even inside users are able to ping internet addresses with out any issue.
View 2 Replies View RelatedI have just moved and my ISP is the same ( Comcast) but I'm in a different region of the country. The former service (modem) was a cisco (1 port) that I connected my EA 2700 Cisco router to and it worked like a charm. My IP phones came right up as well. Now I have an modem/router combo (provided by my ISP) and when ever I attempt to connect to my VPN it will give me an error and not connect. I was told by my ISP that I could bridge the router and try that way.Do I need to set up all over again? or have the settings remained. Also I am unable to access my router with admin/password. How do I reset the password?
View 1 Replies View Related I have a customer with an 877ISR with zone base firewall. They want to access two servers on the inside from the internet using RDP but with different ports.
Partial configuration.
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables(code)
How does one configure the router so that Internet users can access internal company websites? The only thing that appears is the Cisco router login. Also I need to configure Terminal Services and its not on the list under Service.
View 2 Replies View RelatedI have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
I have 2 modules of FWSM in 6500 switch (failover).I need 5 context.When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context),In transparent mode, it is not happening.what is the problem with routed mode?
View 1 Replies View RelatedHow do i access an MS Access backend with a front end without using SQL or share point
View 3 Replies View RelatedI recently changed webhosting partners for my company's website. With the Change I can view my company's website from inside the LAN but can outside of the LAN.
View 1 Replies View RelatedI am running a smaller hosting company and i am currently looking at a Cat6506 switch with a SUP720 Supervisor Engine. I have also been looking at a Cat6509 with a SUP2-GE Supervisor Engine. At the moment i am getting my connection from a ISP but i am going to get my own BGP AS now.. My question is just, how much will the SUP720 be able to route, and how many routes will i need to get it to route my packets in and out of my AS? I have seen that the full BGP table is over 400,000 and the SUP720 is only capable of 256,000, but do i really need the full table? I
major differences between the SUP720 and SUP2-GE Supervisor Engines?
Having worked abroad, will my internet history be visible to IT when I reconnect my laptop to the company network?
View 2 Replies View RelatedBy default SBS 2011 places a shortcut on the desktop to companyweb and adds shortcut in the start menu under Windows SBS to companyweb as well.
I found the instructions to edit out the xlm file for SBS 2008 to prevent this from happening but that does not work with SBS 2011 as I do not see those settings.
I did also find the login script for SBS 2008 settings to remove those after the fact all of the time and that is easy enough to change to make it work with SBS 2011; but I would much rather just prevent the shortcuts from being placed in the first place.
Nowadays my Company works with autonomous APs (AP1142 most of them.We have a WLC 5008 and I am working on the implementation project... So far so good.BUT, I have just realized that the Company didnt buy a second WLC (this project started 1 year ago and I wasnt an employee here yet...).If I transform all autonomous APs we have (around 25, locally and some of them remotes)... And then If I have a HW problem with our single WLC... those APs will continue working ?
View 4 Replies View RelatedI need to use the company laptop to connect to home broadband. However, when it is connected, it shows "no or limited connectivity".All the other laptops/computer at home can connect without any problem.When I try to use my iPhone as hotspot. My company laptop can connect and browse websites (but extremely slow because is 3g speed).
View 3 Replies View RelatedI'm no network security expert but have been asked to "investigate" someone who has been connecting their personal laptop to the company network and using our internet to do "questionable" activities.
Basically I have this information taken from our domain controller's logs:
- DHCP address that was leased to the laptop at the time of the "infractions".
- Computer name of the laptop.
- Precise date and time of when this person was connected to our network.
Based on the DCHP address, I can somewhat narrow it down to a few different switches at different locations in the building, but there's no way to pinpoint it exactly. If I can figure out which switch they connected to, I would know who did it.
How to open website company in internal network
View 1 Replies View RelatedI am getting crazy with our Cisco Linksys RV016. It handles 3 simultaneous connections to the internet using 3 ISP. All our company goes to the internet using this cisco linksys RV016, our corporate switches are connected as clients to the router. Sometime ago, this router started to drop POP3 connections to our network, when this problems is present, all users get Receiving' reported error (0x80042108) in Outlook 2007-2010. Currently i have setup POP3 service to use the First ISP connection, but when this problem is present, the only way to eventually resolve it is to switch the link POP3 Service from the First to the Third ISP, sometimes it works immediately, sometimes don't. We are using this router since 2007 but this problems started to arise from this month.
Our switch is the latest firmware available is Cisco website, this is the Firmware Version: 3.0.2.01-tm.
how can I configure a Catalyst 3750, which interface is patched on the ISP router (internet uplink bandwidth = 20Mbps with) to allow all active users are sharing the bandwidth (either 5, 50, 100, user simultaneously..in internet surfing. right now it's like when a user starts a larger download that it uses the bulk of the bandwidth, and other users can reach all remaining extremely slow access times.
View 3 Replies View RelatedI have a ASA 5520 upon which I need to build a WebVPN for the company urls - webmail, intranet portals etc. There will be 2 groups -
a. Confidential Access - For senior management.
b. Public Access - For employee access.
RSA Token & LDAP auth would be used for access to the WebVPN. However, I am unclear on certain aspect.How do I isolate the 2 groups? I mean only Senior management should be able to view & access the first set of links while employees see and access the other set of links only.Both the groups will be available to all users loggin on to the WebVPN. Since the authentication mechanism - LDAP - is the same, anyone would be able to access the groups and in turn, urls.
i wanted to know if i could setup a netgear wireless router to my ethernet cable that is coming out of the wall. is it as easy as plugging the cable coming out of the wall into the internet port on the router?
View 5 Replies View Relateddoes not accept my password
View 1 Replies View RelatedI've studied and labeled out MPLS and MPLS VPNs several times. The situation I'm presented with is a little different from most of the case studies I've seen in my MPLS books. I've attached a diagram.
We have a IPsec site to site tunnel from our main HQ router to a Cisco ASA 5510 in the core network in the colo. This allows our HQ office to reach the private sub nets in our core without using a Cisco VPN client. The problem we are running into is that this seems to be putting undue strain on the Cisco 2811. I feel like the 2811 should be able to handle it but doing any kind of upload or download through the tunnel spikes the CPU/Interrupts and makes the router CLI basically stop responding until the traffic transfer is stopped or completed. During this time, certain Cisco SCCP phones on our Broad works platform cycle while the SIP phones on the same platform are OK. We are trying to alleviate the load on the 2811 by setting up a VRF from the HQ network to the private VRF used in the Core for private sub net communication. The problem I'm having is the the HQ also has some public traffic that I do not want to include in the VRFs and would like to have it travel through the P2P circuit we have and access the internet or other public devices through the core public IP Internet routing table.
The flow would be this:
-going to a public address use the public internet routing table
-going to private address in the 10.x.x.x or 172.x.x.x - use VRF to core Private network.
This is a little different of a set up from most of the VRF VPN examples I've seen. Most of those the CE devices is completely private. This is not the case at our HQ.
I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.
Server 1 192.168.10.1 -> 80.*.*.1
Server 2 192.168.10.111 -> 80.*.*.6
The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to [URL]. I get an " Error 107(net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:11:27:30192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN on interface inside and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6
Is it worth setting up a DMZ or can I get away with the setup I have?
In my Cisco ASA 5550, I need to set two different syslogs servers, and I need to send the system logs to the first one (only admins login/logout), and the traffic logs and all the rest (informational level) to the second one. Do you know if is it possible or not and, if yes, how to configure it?
View 6 Replies View RelatedI have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs. Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then: ip nat inside source static 10.30.1.248 81.85.199.44
View 6 Replies View Related