Cisco Firewall :: ASA5505 - Can't Get Home Webserver Published To Outside Interface
Aug 17, 2011
I've tried to get my head around this but beeing used to Juniper and Watchguard devices I just can't get my home webserver published to the outside interface.I have a ASA5505 with ASA version 8.4 and ASDM version 6.4 and the basic license.
Outside interface is X.X.X.32/255.255.255.248 so I have 5 static IP:s on my external interface, .34 is in use for the outside interface.
Inside 10.10.10.0/25
DMZ 10.0.0.0/24
I have a webserver in DMZ located at 10.0.0.253 and would like to publish it to the external IP X.X.X.35.I've tried to make the static NAT but every time I do either nothing goes in or out of the DMZ zone or you can't access the webserver from the outside interface.Right now I deleted all trials since none of them work so only the basic config is applied. Everything get's NAT:ed to the external interface .34 IP.
View 4 Replies
ADVERTISEMENT
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Dec 20, 2011
Im currently working on setting up a small network at home. I have a Dell 2716 and a dell 2650 server running windows server 2003. Ive already setup the dns and domain controller on my server. I have 3 desktops that will connect to the server. so far I have the following setup. ISP---> Dell 2716 --->dell 2650/ computers. I set the computers prefered dns to the servers ip. Im able to join the domain and log in but is there a better way to set it up. Also the server and computers are set to static ip.
View 2 Replies
View Related
Jul 14, 2011
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies
View Related
Mar 4, 2012
I have a cisco asa 5505 firewall, and I have a normal home ADSL broadband router, the router currently connects via wireless to my pc.What I would like to do is basically connect the asa to my pc, then my router to my firewall.what the best thing to do here, run the aa in transparent mode, OR routed mode and do NAT on the firewall to the private ip address range of my router.
OR, would it be possible to get the outside interface of my asa to get DHCP from my broadband router so it will use a 192.168.1.x address on the outside, and then turn NAT off?
View 2 Replies
View Related
Mar 12, 2012
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?
View 2 Replies
View Related
May 6, 2012
I have ASA5505 configured with internal network as 192.168.15.0 and default gateway 192.168.15.1 From the inside network, i'm able to access internet and able to ping all website (enabled ping). and all internel network devices can ping each other. Except i cannot ping my gateway (ASA5505) 192.168.15.1. I'm continously seeing this message on the log, when i tried to ping.. How to fix this?
Denied ICMP type=8, code=0 from 192.168.15.xxx on interface inside
replace xxx with my network devices that try to ping the gateway..I dont want outsiders ping my gateway, i need ping for inside internal network only.
View 5 Replies
View Related
Sep 17, 2011
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
View 10 Replies
View Related
Jun 19, 2011
How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.
Here is my configuration and it can be changed as needed.
User Access Verification
Password:Type '?' for a list of available commands.ciscoasa> enaPassword: *******ciscoasa# sho run: Saved:ASA Version 8.0(4)!
interface Vlan1nameif insidesecurity-level 100ip address 192.168.100.39 255.255.255.0!interface Vlan8no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.31.10.1 255.255.255.0!interface Vlan11nameif outsidesecurity-level 0ip address 24.172.82.xxx 255.255.255.252!interface Ethernet0/0!interface Ethernet0/1switchport access vlan 11!interface Ethernet0/2!interface Ethernet0/3switchport access vlan 8!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa804-k8.binftp mode passivedns server-group DefaultDNSdomain-name asaobject-group protocol DM_INLINE_PROTOCOL_1protocol-object udpprotocol-object
[code]...
View 10 Replies
View Related
Feb 25, 2013
I have been asked to install a ASA5505 on a home network. The home network has a home broadband connection which the ISP provider supplies with an IP address. This is only for 6 weeks until the new line comes in. I know this is going to cause problems but we have no choice but to impletment this.
My questions are below.
1, We have a home hub supplied by the ISP which is configured by an IP address which is NOT static. Can we not use the ASA 5505 instead. I know that if our ISP change the IP address we have to change the IP address on the 5505.
2, Will we be able to use the home network broadband to create a secure connection?
View 1 Replies
View Related
Oct 28, 2011
I have been working on a configuration for single IP address (on outside ) of ASA5505.I am trying to utilize the outside address 192.168.0.249 to PAT/NAPT to 10 inside machines [code]
What I am not sure of (actually that could be considered all encompassing) is the mapped services/real services.Any constructive comments assistance?
View 5 Replies
View Related
Sep 13, 2012
I am trying to access and ping the inside interface of a ASA5505 from a remote network. From the remote network, I am able to access anything on the local network, but the ASA5505 inside interface.The 2 networks linked by a fiber link which have a transport network on another interface. From the remote network, I am able to ping the transport network interface IP, but I would like to be able to ping the inside interface IP. When I do a packet tracer, I get a deny from an implicit rule.How can I achieve that?
Here are the subnets involved and the ASA5505 config.
Remote network : 10.10.2.0/24
Local network : 10.10.1.0/24
Transport network : 10.10.99.0/24
[code]....
View 1 Replies
View Related
May 14, 2012
We're running three networks (inside, outside and dmz). Inside is 10.0.1.0/24, dmz is 10.0.2.0/24, outside is a static ip allocated by our ISP. We'd like to configure the following:All traffic from the outside to [static provider ip] on port 80 should go to 10.0.2.200 port 8080.
View 14 Replies
View Related
Apr 24, 2011
I have one webserver which open for public via http and https. The server sit behind Cisco ASA 5510. Today our webserver have been hacked by someone. The index.html has been replaced by hacker own index.html file. Is it anyway to detect who did (by IP) this? is my Cisco ASA can give any clue about it? How to prevent from this happening in Cisco ASA? FYI, my ASA only allow HTTP and HTTPS port from outside to internal. This ASA is solely dedicated to protect the webserver.
View 3 Replies
View Related
Dec 18, 2012
I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 1.1.1.1). We have a NAT statement static (inside, outside) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 and an ACL to permit tcp any host 1.1.1.1 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 1.1.1.1. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be: static (inside,guest_inet) 1.1.1.1 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 1.1.1.1 we should be taken care of on the ACL side of things, right?
View 3 Replies
View Related
Jul 8, 2011
I currently have an out of the box ASA5505 and need to change the internal interfact from 192.168.1.1 to 10.20.3.1 so it fits in with the rest of the network.Tried using the ASDM Startup wizard (via 192.168.1.1) and it just seems to hang on "delivering the commands to the device".
View 16 Replies
View Related
Feb 5, 2013
New to Cisco but learning some. Needing to know what I should code into CLI on my ASA5505 to make it work with comcast modem which uses DHCP for it's addressing from Comcast proper.
View 2 Replies
View Related
Oct 6, 2011
I have an ASA 5505 with Base license and a vpn client. The scenario is like this: LAN -- ASA 5505 -- ISP DSL Router---( Internet ) -- Home DSL Router --- LAN -- VPN CLient, The ISP DSL Router gets a public IP address and the ASA gets a private IP address (ISP DSL router doing NAT) and I cant reach the internet with no problem from the LAN´s ASA side but I cant make the vpn tunnel connection from the LAN´s Home side so I told the provider to bridge the ISP DSL Router, to the ASA so the ASA could get the public IP but in order to do that the provider told me to do MAC clonning on the ASA 5505 which I did putting the ISP DSL Router MAC on the ASA. Now the ASA gets the public IP on the outside vlan by DHCP but when I try to make the VPN tunnel I just cannt. I can reach the public IP by ping on the ASA and I can see the pings coming in using debug but I just cant make the vpn client work.
View 2 Replies
View Related
Jul 16, 2012
I am connecting to a ASA5505 at from home to the head-office using L2TP VPN.
Head-office then has a connection to other-office via a site-to-site IPSEC tunnel.
When in the head-office (192.168.100.0/24) I can ping/access remote-office (192.168.200.0/24) OK.
When connected remotely to head-office, I can ping/access head-office OK from the road-warrior laptop.
My problem is that when connected remotely from home to the head-office I cannot ping/access the other-office subnet.
On the home laptop the L2TP VPN connection is set to route all traffic to the VPN connection using the HQ as the internet gateway I can confirm this works.
I cant do traceroute (I get timeouts) as my policy doesnt allow and not sure how to enable this properly on the ASA.
names
name 192.168.200.0 othersite
!
interface Vlan1
nameif inside
security-level 100
[code]....
View 1 Replies
View Related
May 28, 2013
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
View 2 Replies
View Related
Feb 24, 2011
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
View 2 Replies
View Related
Oct 1, 2012
configuring an ACL for a 857 Cisco router for web-server traffic. I've configured a NAT for the inside network and added ACL entries for port 80 access but dont seem to have any luck accessing the website remotely. I suspect there's an ACL rule blocking access.
Setup Internet === Router === Webserver
Router address: 10.0.10.1 Web-server address: 10.0.10.77IP from ISP address: XXX.XXX.XXX.XXX
(masked for security)
View 2 Replies
View Related
Sep 6, 2011
The remote office is connected to hq via site to site vpn. I have 1 static IP (on the remote site)that I use for the site to site. I need to publish a web server at the remote site. My question is can I use the same IP for VPN and web server publishing, I am having trouble getting the web server to publish
View 2 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Jan 9, 2013
Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
View 2 Replies
View Related
Oct 9, 2011
I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside
View 7 Replies
View Related
Mar 18, 2013
I've got a ASA 5550 firewall interface failover issue. (File attached).
when I shut down the inside interface Gi 1/1 of the left firewall(Active firewall), It failed to failover. but when I shut down the Gi 1/12 of the Core 1 switch, The firewall failover very well.
I followed this guide but I was not able to failover. [URL]
how can I configure so that when the Gi 1/1 or Gi 1/0 interface goes down, it can failover ? Code...
View 6 Replies
View Related
Apr 1, 2013
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
View 4 Replies
View Related
Feb 28, 2013
I have my webserver (30.30.30.50) located at DMZ zone. The public IP of my webserver is (119.2.116.191). From outside i can ping my webserver using public IP thats fine.The issue out here is, if i want to ping my webserver using public IP from Internal LAN then i cannot ping but i can ping my webserver using private IP.I am using ASA5520. [code]
View 2 Replies
View Related
Mar 20, 2011
ASA 5510I'm trying to add a static NAT for to allow access to an internal webserver on my DMZ. I've added the config, however i'm still unable to get to it from the outside. I'm able to ping and browse the server from the LAN and I'm also able to ping the external interafce from the outside, but just unable to browse.I've turned on logging and the error I'm getting is "Inbound TCP connection denied...flags SYN on interface outside"
View 0 Replies
View Related
Apr 12, 2012
I am running a webserver locally and I am unable to resolve it by domain name (e.g. mydomain.com) when I am inside my network. However, I am able to hit it internally (e.g. 192.168.0.10) just fine. When I try to access mydomain.com from inside my network it comes up with my Actiontec router's admin page on 192.168.1.1.Here is my configuration:Actiontec FIOS router 192.168.1.1 (connected to internet)DHCP disabled Netgear Router 192.168.1.2 is in the DMZHas cable running from Actiontec's LAN port to Netgear's WAN port[CODE]
View 7 Replies
View Related
Feb 17, 2013
I am running a websever on virtual machine on ubuntu .how can i forward all traffic coming to my ip to virtual machine which is 192.168.1.4 on my LAN.here are my configs.
OS - Windows 7
Router - DLink
Virtual machine network Setting - Bridged adapter.
View 19 Replies
View Related
Jul 23, 2011
I have a sg300-10 switch. i update the firmware with the last one. Things are complicated when i create 2 VLAN. ( really 1 VLAN cause the first is native ).So i have the first VLAN with the interface 192.168.1.254 ans the VLAN 2 wich IP is 192.168.2.254
I'm connected with my workstation ( ip : 192.168.1.2/24 with GW 192.168.1.254 ) and i try to ping a web server on VLAN 2 ( ip : 192.168.2.2/24 GW 192.168.2.254 )
Ping is OK ! But when i try to reach any ports of the webserver : Nothing.
View 11 Replies
View Related
