Cisco Firewall :: ASA V8.4 Will Stop Pings With IPsec-Spoofing Logic
May 28, 2013
After hours of trial and error, and searching user groups, I have found that on occasion, ASA v8.4 will stop pings with the IPsec-Spoofing logic. Interestingly, the packet-trace will say everything is allowed.
The fix (at least in my case, and one other) is to narrow the crypto-map to specific hosts, not subnets.
View 2 Replies
ADVERTISEMENT
Mar 20, 2013
So because of the way active directory handles Group Policy I have been tasked with finding out why this is failing over the WAN. Basically I know why, but don't know how to correct it. I am trying to increase the MTU over an ipsec tunnel to 2048 to allow Microsoft Slowlink detection to occur. [URL] Basically, it sends 2 icmp packets. One at a normal size and one at a size of 2048. In my case this is trying to occur over an ipsec tunnel and failing due to the MTU being at 1440. I have seen a few articles about increasing it to 1500, but is there a way to increase the MTU to allow the 2048 sized icmp packets?
View 4 Replies
View Related
Sep 19, 2011
Is the ACLs matching logic between a Cisco router and a Cisco firewall (PIX/ASA) the same ? If not, What are the logic differences? I understand that in a router, once a match is found the statements below the match are ignored, I wonder if this applies to firewall.
View 1 Replies
View Related
Jul 23, 2011
I really need understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
Code ....
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspectclass type inspect ccp-invalid-src drop logclass type inspect ccp-insp-traffic inspectclass type inspect ccp-protocol-httpclass class-default drop.
Code ....
View 1 Replies
View Related
Apr 24, 2011
What is Anti Spoofing in ASA 5505. Can I enable it on ASA 5505. If yes , port will be inside or Outside. ? or both ?
View 1 Replies
View Related
May 30, 2011
We are runing PIX 535 with software version 8.02. In ASDM, I see anti-spoofing is diable in all interfaces. If I enable it, is there any negative effect? Can I enable it in DMZ, inside, and outside interfaces?
View 2 Replies
View Related
Mar 19, 2011
I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.
1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation5. IOS and ASDM Backup
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.
How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?
View 1 Replies
View Related
May 2, 2013
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
View 8 Replies
View Related
Apr 5, 2012
I'm trying to set up an 802.1 q trunk between my layer 3 switch and ASA5520. I understand I need to create a subinterface to accomplish this and have done so. However, the subinterface does not respond to pings, and when I attempt to run the packet tracer on the firewall itself, I get a message saying Flow is denied by configured rule. But the strange thing is it shows the output interface as "np identity ifc":
(The VLAN in question is VLAN2 192.168.2.3 is the VLAN2 address on the switch). The ASA config is as follows:
ASA Version 8.2(5) <context>
hostname context2
names
!
interface GigabitEthernet0/0.2
nameif Inside0/0.2
[Code] ....
View 3 Replies
View Related
Dec 7, 2011
I have an RVS4000 router and it worked well with AT&T's DSL service. I installed it, with my limited knowledge, with no problems. I switched my internet service to Logix and the RVS4000 will not see the Logix signal (the internet LED does not light up on the router). I can hook my computer directly to the circuit and put in the IP address and other info and it works fine. I happened to have another Linksys router handy model # BEFVP41 and it works fine. The router sees the signal and I entered the Logix info in the router and I am off to the www. I can plug the RVS4000 back into the DSL modem and it sees the signal and the internet LED lights.
My question is why won't the RVS4000 work with the Logix signal or is there a setting I am missing? I would like to use the RVS4000 since I paid a lot more for it than I did the BEFVP41.
View 9 Replies
View Related
Aug 21, 2012
I'm currently looking at doing some re-design work for a platform we manage on the ACE.I want to be able to run a single VIP and only do a sticky session based around specific URL's not all. I've got the following configuration to apply a sticky session to a URL. [code]Notice, under the Policy-map type loadbalance http first-match WEB-POLICY-L7 i have two class statements, one that matches the URL L7 policy and applies a sticky farm and the second class falls into the default.Am i right in saying with this configuration, any http traffic hitting the VIP 192.168.1.1 that does NOT match /urltobedefined.co.uk/test sticky sessions are NOT applied. But traffic hitting 192.168.1.1 that does match /urltobedefined.co.uk/test will apply the sticky policy?
View 2 Replies
View Related
May 5, 2011
Is there any way to configure 3825 to ensure that all packets have a source IP address that matches the correct source interface (similar to ASA's 'ip verify reverse-path interface')? Currently, we manage anti spoofing with a bunch of ACLs, however I'm looking for a more manageable solution.
View 2 Replies
View Related
Oct 9, 2012
We want design a topology based on transparent proxies using WCCP. Our proxies can do spoofing of user ip addresses. So, the HTTP request will go out our network with the user ip address as source ip. The HTTP Response will arrive with destination address the user ip address. We want use WCCP to redirect inbound and outbound traffic because we have c3750 with L2 WCCP support. The outbound redirection, when the packet is going out our network is simple. But, the problem is the inbound redirection. How we redirect this packets to proxies by WCCP?. Is it possible?. This redirection is done by c3750 using TCAMs/hardware?. Our throughput could grow until 2-3Gbps and we are worried about the performance.
View 1 Replies
View Related
Jun 15, 2012
I just purchased a Sharp Aquos Quattron LC-70LE845U with SmartCentral user interface and I can not access any apps because I live in Puerto Rico which Sharp says is not part of the United States. I don't really care if it is or isn't but I do want to check out the apps because right now its not really a smart TV and I kinda feel a little jipped. Any way I want to spoof the IP to think that it is in the United States. However I don't think that I can go the software route because Sharp has its own operating system and browser so I don't know what would be compatible. I'm using a D-link DGL4100 router if that information is useful.
View 5 Replies
View Related
Sep 18, 2011
I have the following Pix 515E Firewall, that has been working good for a few years. But suddenly, the Pix stop booting up. The only thing that is happening is the power and network traffic led flashes and the active led is off. So my question is that is this symptom a hardware or software problem and is it fixable with either new parts; or is my firewall dead. I suspect that it is a hardware problem since the active led doesn't light up. I cann't even enter the ROM Moniter mode.
View 7 Replies
View Related
Mar 31, 2013
Region : India
Model : TD-W8951ND
Hardware Version : V4
Firmware Version :
ISP :
The product manual of TD-W8951ND V4 states that it's supports MAC spoofing. But in the product itself, it is nowhere to be found. I tried contacting the customer care via email but they are too lazy to respond. If they disabled this feature then why in the world they mentioned in the manual. I double checked the manual before buying this model. Now I stuck with it.
View 4 Replies
View Related
Feb 20, 2013
Region : Malaysia
Model : TD-W8951ND
Hardware Version : V5
Firmware Version : V5
ISP : Streamyx
TD-W8951ND V5 No longer have Mac Spoofing support.i just bought this modem since my old one is faulty. and i realize that my modem is V5 my previous modem is V4 and there is Mac Spoofing support there.
View 1 Replies
View Related
Aug 19, 2011
I am new to firewalls and I am trying to make mine block specific websites but so far have had no success. Here are the settings I am using in the router's admin area:
Security > Firewall > General
Active firewall
Security > Firewall > Rules
[Code].....
View 2 Replies
View Related
Aug 8, 2012
i have been facing strange issue on FWSM (6509 switch). we have created a vlan inteface for server farm on fwsm and its stop responding automatically and we need to give shut/ no shut command under that interface to back into normal .
View 11 Replies
View Related
Aug 1, 2011
So we've setup an ASA 5510 and users can VPN in no problem, and an IPCONFIG /ALL confirms that the DNS server settings from the group policy have been applied.Group policy sets DNS servers as 192.168.2.8 (internal), 8.8.8.8 (google). Public internet sites work ok.Typing nslookup opens up on the correct internet DNS server, but all requests timeout.
View 6 Replies
View Related
May 1, 2013
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
View 1 Replies
View Related
Aug 9, 2011
I'm looking for troubleshooting LMS 3.2.1 and the ping/ICMP traffic it transmits.A lot of my devices are receiving a lot more pings from LMS than I would have anticipated.I don't run PING sweeps in Device Discovery or CM-UT. I've even disabled DFM polling in a hope to trace the source of these PINGs. Any list of which modules use PINGs so I can turn them off and track down the offender.I really only want to manage the known devices I already have via SNMP alone. I don't require LMS to be PINGing for discovery or reachability purposes.
View 4 Replies
View Related
Dec 19, 2012
I have two cisco asa firewalls connected through a VPN, one is 5505 and the other is a 5510. From the 5505 I can ping the internal interface of the 5510, but not vice versa. Would that be a NAT issue? I used the ASDM to configure the VPN tunnels with the wizard for IPsec site to site.
View 3 Replies
View Related
Feb 27, 2011
In the new firmware version is there a way to turn off or not allow anyone to ping my router by blocking any private type of IP address? Which also include loopback addresses?
View 1 Replies
View Related
Feb 14, 2012
I have recently installed a new Cisco SG 300-10 switch--running in layer 3 mode--to function as a basic router for a new subnet installed at one of my company sites. When we attempt to ping devices on the 15.120.204.0 subnet from the 230.20.1.0 subnet, each device gives 2 responses and then times out continuously after that. If we wait long enough (thus far, an undetermined period of time) and reattempt to ping the same devices, the same thing occurs. Otherwise, we get nothing but timeouts. This occurs regardless of where we connect in the 230.20.1.0 subnet including VLAN1 on the SG 300-10. However, if we connect into VLAN 2 on the switch and assign a static IP, those same devices respond continuously. I was thinking that this must be a security setting of some kind but I'm unable to locate anything in the SG 300-10 that would appear to cause this.
View 1 Replies
View Related
May 16, 2013
I'm having an issue that I can't quite understand. I set up a test lab to get familiar with EIGRP routing. I have a Cisco 3845-MB with 2 VWIC2-2MFT-T1/E1 cards.sh ip int brief shows UP UP status on all serial ports. I gave it an IP address but I'm having trouble pinging the serial interface IP. It's dropping pings to its own S 1/1/0 interface when pinging from console. I have known good T1 crossover cables 1&2 - 4&5.
Here is the "ip int brief" from 3845-MB
3845-MB#sh ip int brief
Interface IP-Address OK? Method Status Prot
ocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 172.30.2.1 YES NVRAM up up
Serial1/1/0:0 10.3.29.2 YES manual up up
Right now it's pinging itself at about 60 -90% success rate... and I can't figure out why it's dropping any packets at all. I have other issues with in the lab as well... but i think this might be my "core" issue.To make matters even more "weird" I've tried two different VWIC2-2MFT-T1/E1 cards and I drop pings with both of them.
Here is a sh run and a sh diag:
3845-MB#sh run
Building configuration...
Current configuration : 1434 bytes
!
version 12.4
service timestamps debug datetime msec
[code].....
View 4 Replies
View Related
Apr 16, 2011
if y need to enable VPN IPSec through the firewall. y just need to need to allow the port 4500?
View 2 Replies
View Related
Jun 2, 2011
Now there is an issue that I don't really know how to deal with it and its the multiplayer games ping that I get lately , its about 3 months that I get very high pings when connecting online to a multiplayer server , no matter which game it is , the same happens.
I was getting around 380-470 ping while playing on an European server , but then we solved my last problem (The someone that was connected to my home network) and it reduced the ping to something around 250-300 (sometimes it drops to 100-120).
It is still very high , 3 months ago I had a real bad internet connection and when I was playing on European server's I was getting a stable ping of 100-120 that was normal !
A friend of mine got the same connection that I have and he gets a ping of 100-120 and we play on the same servers (same ISP too).
How can I know where the problems come from ? I did move to a new house in a new area , maybe the ISP server's over there are weak and over loaded ? Because when its like 02.00 AM I am getting a stable ping of 100-120 . What is going on here ? Is there a possibility to ask the ISP to move my connection to another area servers or something like that ?
View 12 Replies
View Related
Jan 21, 2012
I've just purchased WRVS4400N VPN router and installed it. This was a replacement of a old Linksys router. After installing the router, I've started seeing wireless drops, packet drops and latency on pings. I've installed the latest firmware, disabled Firewall services, disabled IPS. No changes at all. As a basic example, I am pinging my NAS device (hard wired to router) from a laptop connected to wireless below. Previously while connected to my old linksys router the time was equal to no more than 2ms.
View 4 Replies
View Related
Apr 8, 2012
I have a WRVS4400N router in a remote office. I have connectivity to the office and computers there. But the web interface for the router is failing to come up. This happens once every few days or so. Is there any utility or something that I can use to remotely reset the router without making use of the webinterface or having physical access to the router?
View 4 Replies
View Related
Aug 11, 2011
I have a d-link dslg604t, i tried to do the frimware upgrade and it froze in the process. Now the internet doesn't work at all. I have uninstalled the drivers, reset the modem and it indicates the modem is working as in i have the two monitors and the blue flashing light between them shown, also all the network settings are there. DHCP is assigned automatically etc etc. I can ping the modem but when i try to connect to the internet i get "detecting proxy server", "internet explorer cannot display the page". "FTP (passive)- Error 12007 connecting to ftp microsoft.com
View 1 Replies
View Related
May 27, 2011
I am purchasing a new DIR 600. It pings properly, but didn't access internet. I am using HP Desktop and ORTEL broadband connection.
View 1 Replies
View Related
Jul 14, 2011
Using a WRT310N Linksys Router and just today at 2PM I received the largest and longest lag spike ever, it is still going on as I write this (10:00PM). I am receiving pings of 500+ ping and my download speed spikes like crazy. Here are my speedtest.net results.Here are my results from Netalyzr URL
View 4 Replies
View Related