Cisco Firewall :: ASA Version 8.3(2) - Internal Traffic Not Allowed
Jul 29, 2011
i have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
View 1 Replies
ADVERTISEMENT
Jul 17, 2011
Can threat detection provoke frequent disconnections on allowed traffic?We are using asa 5520 with 8.3.1 IOS For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
Our threat conf is as follow:
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
[code]....
View 11 Replies
View Related
May 1, 2013
I have a requirement to nat two public ip addresses to same interanl ip address. Is this possible on ASA version 9.1?
View 3 Replies
View Related
Oct 25, 2012
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
View 15 Replies
View Related
Aug 30, 2011
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99)
When I check the NAT rule, it says:
Type Source Interface AddressDynamic any outside outside.
View 3 Replies
View Related
Jan 10, 2013
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies
View Related
Mar 22, 2012
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)!hostname ciscoasadomain-name default.domain.invalidnames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 10.2.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 152.18.75.132 255.255.255.240!boot system disk0:/asa843-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject network a-152.18.75.133host 152.18.75.133object network a-10.2.1.2host 10.2.1.2object-group network ext-serversnetwork-object host 142.21.53.249network-object host 142.21.53.251network-object host 142.21.53.195object-group network ecomm_serversnetwork-object
[code]....
View 10 Replies
View Related
Nov 26, 2011
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
View 19 Replies
View Related
Feb 13, 2011
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.
View 6 Replies
View Related
Apr 23, 2012
I have an ASA 5505 with the base license,When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
View 3 Replies
View Related
Sep 12, 2011
I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET
View 1 Replies
View Related
Dec 5, 2012
Since the power failure two days ago, my -ASA stops forwarding traffic to internal servers, for no apparent reason. Packet trace shows all OK, packet capture buffer stays empty when I try to http into the mail server. The only way to get it working is to change the Outside Ip to the one used for mail, then to change it back. It will work OK for a few hours, then stop, with nothing obvious in the logs.
View 2 Replies
View Related
Apr 20, 2011
Does anyone know of a system that works like an internal version of Akamai? I'm looking to be able to distribute content from different locations across our network (with one URL) and I'm looking for an elegant way of doing so. Is there a product out there that does this sort of thing already?
View 7 Replies
View Related
Apr 3, 2012
provide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies
View Related
Apr 26, 2011
I am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies
View Related
Aug 23, 2011
A user needs to be allowed through the Cisco ASA 5505 firewall to make a VPN connection to 83.1.**.** address on port 1723.
View 13 Replies
View Related
May 17, 2013
I was reviewing my ASA config and noticed that port 1025 was being allowed in and statically NAT'd to connect to my email server:
access-list outside_in extended permit tcp any host X.X.X.X eq 1025
static (inside,outside) tcp interface 1025 Y.Y.Y.Y 1025 netmask 255.255.255.255.
View 2 Replies
View Related
May 10, 2011
i am using Cisco ASA 5510 with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies
View Related
Aug 10, 2011
i allowed one of internal ip using static nat and public ip is 203.18.137.22 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 203.18.137.22? I have the cisco 5520 asa firewall.
View 6 Replies
View Related
May 6, 2012
I would like to setup an cisco ASA 5505 to only allow certain IP's on port 3389, but i can't get it to work. Maybe some of you experts know why?
Here is my config:
ASA Version 8.4(3)!hostname cisco-asaenable password ** encryptedpasswd ** encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.* 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network rdpuser-1host 46.*.*.*object network rdpuser-2host 48.*.*.*object network rdp-host-pchost 192.168.1.20object
[code].....
The allowed IP's are setup on user level (rdpuser-1 and rdpuser-2) .Still do, I can't connect to the server from any of these IP's...
View 6 Replies
View Related
Apr 20, 2013
Port forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)
View 2 Replies
View Related
Apr 4, 2012
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
View 5 Replies
View Related
Apr 12, 2011
If I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
View 2 Replies
View Related
Aug 2, 2012
I am in trouble with my cisco 1841 configuration.The "what I want to" schema: very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
View 1 Replies
View Related
Aug 1, 2012
I am in trouble with my cisco 1841 configuration. The "what I want to schema":very external IP ( AAA.AAA.AAA.AAA ) in the internet cloud => | cisco 1841 external IP BBB.BBB.BBB.BBB | => internal computer IP CCC.CCC.CCC.CCC
Steps (this what I think should be done):
1. Find all packets from A by acl
2. Route finded packets throught cisco1841 directly to internal ip address
It should be easy but it doesn't.
View 2 Replies
View Related
Jul 31, 2012
I have an RV042 router and I'm looking to monitor the total upstream and downstream traffic from within the router.
I know there is tons of software that I can put on a network computer to monitor traffic, but is there any software that I can put on the router itself that will monitor the traffic from within the router?
View 2 Replies
View Related
Jun 27, 2011
I have recently setup Splunk to receive my syslog messages from my ASA 5510. In the past I used kiwi without observing this issue, but I needed more features than kiwi had available. Anyway, anytime I stop the splunk service my asa does not allow any outbound connections to be established.
View 2 Replies
View Related
Feb 28, 2013
I have created a new sub-interface on our ASA 5520 for guest internet access.
My goal is to allow access to a few specific services hanging off some dmz interfaces on the same firewall and full unrestricted access to the internet only. Everything else should be out of bounds.
The order of the rules I plan to setup on the guest interface inbound are:
#1. <rules to allow access to specific services in the dmz>
#2. <block any ip access to the entire private network ip address space>
#3. <permit ip any any>
#1. These rules will give access to the guest user to services located in the dmz
#2. This rule will block all access to any services in the private ip address space (thus blocking access to all internal services)
#3. This rule is to allow access to any other services i.e. the internet.
Is this the best way to achieve my goal in the most secure way or is there a better way? i.e. is there a way to force the traffic by default to only go out the outside interface unless there is a specific rule allowing it go elsewhere?
(Of course Dynamic PAT will also be configured for traffic coming from the guest interface to the outside interface.)
View 2 Replies
View Related
May 17, 2013
I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa(code)
View 1 Replies
View Related
Oct 2, 2011
We have Cisco ASA 5505, 90.x.y.2/29 IP is assigned to outside interface. We have one internal HTTP server so that I use static (inside,outside) tcp interface [URL] to forward all incoming HTTP traffic to internal HTTP server 1. Now we need to add new physical HTTP server 2 so that I would like to forward
HTTP traffic to e.g. 90.x.y.3/29 to 172.16.0.11.
How can I do that? See scenario image (scenario.png) if needed.
View 6 Replies
View Related
Mar 10, 2011
We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies
View Related
Sep 14, 2009
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies
View Related
Nov 27, 2012
I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
View 3 Replies
View Related
