Cisco Firewall :: ASA5505 / 5510 - Prioritize Traffic Based On Destination IP?
Sep 25, 2012
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
Do the above values look correct? and why is the priority queue applied to the outside interface and not the inside? (or both). Also is this the part that ensures that the regular traffic does not choke the voice traffic?
class-map voip-class match dscp ef policy-map outsidemap class voip-class priority
service-policy outsidemap interface outside
Will the global policy remain which this interface policy taking priority?
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
My HO is connected to BOs over MPLS Links.The links are terminated on routers but i dont have access on those routers as it is maintained by the ISP.Behind of the HO router there is s 3560 switch. Can i configure this switch to prioritize some traffic over the WAN link to the BOs.
I Do want know what could be best Device to prioritize Skype Traffic i mean should i implement it on Cisco 3560 or squid or Mikrotik according to my current scenario to get best result.Also do Let know how to Prioritize Skype Traffic in Cisco 3560 Switch
We have 2mb mpls network between three sites. Each site also has its own internet connection for hosting webserver and internal users to access internet. Each site has a few internal subnets. Each site currently has a 2800 series ISR.
1) Increase Internet connection to 10mbps and configure site-to-site VPNS in a mesh configuration so that each site has a vpn to each other site. This would create six vpn tunnels.
2) Configure so that only Exchange and VoiP traffic use the MPLS network under normal conditions. All other traffic (backup/misc apps) should be routed to use the Internet VPNs. If the MPLS fails of course we would like the Exchange and VoiP traffic to fail over to the VPN connections as well until the MPLS comes back up.
Our ISP has set up a Cisco 2431-16fxs IAD (dual WAN) in one of our locations. It is used to connect the devices (PCs and SIP phones) on our LAN to internet (via 1st WAN port) and ISP's MPLS-based voip network (via 2nd WAN port).
We have 2 LAN subnets - the first subnet (PCs) requires internet access only, so it goes out via the 1st WAN port. The 2nd subnet (SIP phones) is connected the MPLS network (via 2nd WAN port).
We would like to have the SIP phones (that connects to MPLS-based network 192.168.1.x) to be able to access the internet. Is it possible to configure the IAD so that the phones are routed based on destination network; i.e. anything to 192.168.1.x via 2nd WAN port, anything else to the internet via the 1st WAN port?
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 22.214.171.124 255.255.255.248ASA5505(config-if)# no shut
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log access-list 101 extended permit ip any any access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
I have an ASA5505 that I am setting up behind another firewall. The external firewall has all ports forwarded to the ASA which is fine as I can see the traffic getting to the ASA in the log. However when the traffic trys to return to it's destination the ASA assigns a random port number. For example for VPN the source port is 443 but when the ASA trys to go back to the public IP addess it is using port 52857 which is obviously blocked on the external firewall. The Packet Tracer also says the the traffic is blocked by an implicit rule on the ASA which denys all ip traffic however I can't delete this rule and as I test I have created another rule allowing all IP traffic.
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver 10.50.15.5 > domain controller (exchange) 10.50.15.6 > terminal server 10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.Everythings work except one major point, the return traffic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communication is not allowed.I've only found two workaround:
-allow inside trafic with static rules, and I say NO ;
-disable the zone based feature by settings all zone to the 0 level…
How I'm supposed to make my state-full firewall work with zone based feature?
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years. In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity. Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA. It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
I have tried the following without success:
1) I completely wiped the configuration (configure factory-default)
2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex). It was previously set to be auto-negotiation (default) on both speed and duplex. As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.
I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24. I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
inside works just fine but no traffic is going out of inside2, not to outside or to inside.
How would I go about configuring RADIUS based AAA for remote access VPN users? I have an OSX RADIUS server and an ASA 5510
(I want to keep console and SSH using LOCAL, so I keep this: "aaa authentication ssh console LOCAL", right?)What does the rest of the config look like to get RADIUS based AAA for remote access VPN users?
I am a total Cisco novice who has just had a ASA5505 installed to replace a linux freeware firewall (smoothwall).I'm told that the 5505 can't port forward traffic (e.g. ssh) from two external IP addresses to two internal destination machines via the same port # (22 in this example).
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
I am trying to perform destination NAT through a VPN tunnel.my scenario traffic coming from 172.29.11.135 needs to connect to address 192.168.1.1 from the source device traffic will have a source IP address of 172.29.11.135 destination will be 172.30.14.1 traffic will hit the asa 5510 and the traffic source will stay as 172.29.11.135 but the destination needs to change to 192.168.1.1.
I have tried the different types of NAT but been unsucessful with all. My VPN tunnel will connect if the destination address does not change (NAT Exemption used). This scenario is even possible on Cisco devices. I have seen discussion that NAT the source address but not the destination address.
example config access-list FROM_INTERNET extended permit esp any any access-list FROM_INTERNET extended permit ah any any access-list FROM_INTERNET extended permit gre any any access-list FROM_INSIDE extended permit ip host 172.29.11.135 host 172.30.14.1 access-list VPN-TUNNEL extended permit ip host 172.29.11.135 host 192.168.1.1
**I have left other config statements off as the NAT config used previous has not worked and the VPN tunnel does build when using NAT exempt.
**All ACL have been applied in the inbound direction on the respective interfaces. Two static routes have been applied to the FW directing inside traffic inbound and all unknown traffic outbound. I have not defined a specific static roule for the VPN traffic allowing the default static to perform that function.
I have a classical "inside + DMZ + outside" configuration.I also have a mail server in DMZ which have to be allowed to reach any destination on the outside (internet) at least on the SMTP port, of course.If I make an access rule that allows traffic from that server to "any", everything works fine, but doing so the server is allowed to reach any destination, including what is behind the inside interface (internal network).I didn't find any other option to tell the ASA machine to allow any destination, but on the outside interface only.I do believe is possibile to have the ASA to allow any kind of traffic from a host on the DMZ to the outside interface only, but I didn't figure out how.
P.S.: I'm using a 5510 machine running version 8.2
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.