Cisco Firewall :: ASA5505 Connects Through Lan But Cannot Pass Traffic

Sep 13, 2011

We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect  from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5505 Does Not Pass Traffic

Jan 25, 2013

I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]

View 6 Replies View Related

Cisco Firewall :: ASA5505 Will Not Pass Traffic?

Nov 15, 2011

I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
 
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut

[Code]....

Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
 
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
 
I also checked the box in the asdm to allow traffic to pass without NAT

View 5 Replies View Related

Cisco :: VPN Connects But Can't Pass Traffic?

Apr 29, 2011

A former coworker of mine setup VPN capabilities to our office network shortly before he left. It is no longer working. We can connect to VPN but I'm not able to ping any devices on the remote network or Remote Desktop to any of the server. After 30 minutes, the VPN connection drops. I have attached our ASA 5505 config to assist in troubleshooting.

View 3 Replies View Related

Cisco :: Ikev1 ASA 8.4 VPN Connects But Doesn't Pass Traffic

May 2, 2011

I setup the ikev1 client and can connect but I can't pass traffic either way. I have tried icmp, port 80, smb etc... here is my config: ........

View 9 Replies View Related

Cisco VPN :: ASA 5510 - Anyconnect Connects But Won't Pass Traffic?

Aug 11, 2011

I am trying to use a ASA 5510 with AnyConnect as an in-line SSL VPN device.  I have a separate firewall that NAT's 443 to the inside IP of the ASA, which is the only configured interface on the ASA.  I can connect to the ASA from the WAN just fine and the AnyConnect client connects just fine, I get an IP lease across the VPN on my LAN, all looks well.  The problem is that I cannot pass any traffic.  The only device on my LAN that I can ping is the ASA, nothing else including the default gateway is accessibe.  I have setup a static route on the ASA pointing 0.0.0.0 0.0.0.0 to the LAN gateway, but no dice.

View 1 Replies View Related

Cisco Firewall :: PPTP Traffic Cannot Pass Through PIX 525 7.0(7)

May 6, 2008

i read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:

inspect pptp.
pptp connection cannot setup.
show connection in pix:
pptp tcp 1723 is ok.

gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).

View 5 Replies View Related

Cisco VPN :: 5520 - How Much Traffic Pass Through Into IPSec In ASA Firewall

Mar 20, 2013

How can I see the quantity of traffic that is passing through into an IPSec VPN in a ASA 5520.

View 3 Replies View Related

Cisco Firewall :: Allowing Multicast Traffic To Pass Through ASA5510

Mar 1, 2011

I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?

View 1 Replies View Related

Cisco Firewall :: 5520 To Pass Traffic Through Ssm 20 And To Create Sensors

Jun 20, 2011

I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .

View 1 Replies View Related

Cisco Firewall :: Pass Management VLAN Traffic Through ASA 5510 In Transparent

Mar 10, 2013

We have a small cisco 1800 series workgroup router that seperates our network from the outside world.  The data coming into our network goes into the router on interface fa0/1 and comes out on interface fa0/0.  fa0/0 is split into 2 sub-interfaces (fa0/0.2 and 0/0.3).  These sub-interfaces correspond to a desktop and server vlan on our network.  The workgroup router is connected to a 3560G trunk port (we'll call it switch 1) and switch 1 connects to another 3560G (we'll call it switch 2). Recently I was asked to add another layer of security to our network by installing an ASA 5510 firewall and forcing certain types of traffic to authenticate using their domain credentials for our network.  The firewall was set up between the router and switch 1 in transparent, multi-context mode.  There are 2 security contexts, 1 for the desktop vlan and 1 for the server.  Both have the same security settings applied to them since we want the same behavior regardless of whether they are trying to access the servers or the workstations.

View 2 Replies View Related

Cisco Firewall :: 5505 Transparent Mode Doesn't Pass Traffic

Dec 4, 2012

  asa 5505 do not pass traffic as a patch cord, how to make it pass traffic? [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Users Are Unable To Pass Traffic When Connected Through Vpn

Sep 12, 2011

I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed..[code]

View 4 Replies View Related

Cisco Firewall :: Configure ASA To Send All Traffic From (3) VLans To Interfaces That Connects To 2960?

Apr 18, 2013

I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
 
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1 
 
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?

View 21 Replies View Related

Cisco Firewall :: Cross Interface Traffic ASA5505

Mar 12, 2012

I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network.  I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network.  The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need?  How do I setup the rules to allow this traffic?

View 2 Replies View Related

Cisco Firewall :: Allowing Traffic From Inside To Outside ASA5505 7.2(3)

May 15, 2012

Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet.  The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed.  We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet.  The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult.  For now I wrote an access list to allow it's DHCP address out but it still isn't working.  The access list I wrote is:
 
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
 
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased.  When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response.  According to the manufacturer, only outbound connections are needed, no incoming ports required.  All traffic is TCP.

View 8 Replies View Related

Cisco Firewall :: ASA5505 - Redirect ASA Traffic To Proxy Server?

May 20, 2011

I have ASA5505 with bese-license. I like to install proxy sever in my network and i want redirect traffic to the proxy server.
 
Below  i added configuration in my firewall.
 
ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic ASA(config)#wccp interface inside web-cache redirect in
 
furher configuration and if this configuration is enough, then how to check whther its working or not in my firewall.

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
 
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
 
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
 
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
 
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
 
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Cisco Firewall :: ASA5505 Return Traffic Is Blocked By System

Jul 23, 2012

I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.Everythings work except one major point, the return traffic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communication is not allowed.I've only found two workaround:

-allow inside trafic with static rules, and I say NO ;

-disable the zone based feature by settings all zone to the 0 level…
 
How I'm supposed to make my state-full firewall work with zone based feature?

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Routing Traffic From VPN Clients To Interface?

Sep 17, 2011

I have two attachments that show my basic network layout.  I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place.  I can also get from Workstation 2 to Workstation 3 just fine.  But I'm having issues when I try to get from the VPN client to Workstation 3...  What would I need to do enable to get to Workstation 3 from the VPN client?  IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.

View 10 Replies View Related

Cisco Firewall :: ASA5505 - Outbound Traffic Ceases Even Though Port Is Up

Mar 10, 2011

I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years.  In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity.  Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
 
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA.  It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
 
I have tried the following without success:

1) I completely wiped the configuration (configure factory-default)

2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
 
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
 
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex).  It was previously set to be auto-negotiation (default) on both speed and duplex.  As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
 
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
 
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.

View 13 Replies View Related

Cisco Firewall :: ASA5505 - With Two Trusted Interfaces / Traffic Not Going Out Of Inside2?

Nov 14, 2011

I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
 
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24.  I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
 
inside works just fine but no traffic is going out of inside2, not to outside or to inside.

View 8 Replies View Related

Cisco WAN :: ASA5505 Basic Configuration / No Internet Pass-through At All

Apr 8, 2012

I teach in a High School and we've got about a 300 node MS Windows Network.  Two MS2003 File Servers act as my DNS/WINS/DHCP servers. We have been using a WATCHGUARD FIREBOX III to act as the router/gateway between the outside external address and my internal (10.0.0.1) gateway address. All p.c's inside the network are routed to one of the Servers (10.0.0.2 or 10.0.0.4) for DNS/WINS/DHCP addressing.  The servers point to 10.0.0.1 for gateway.

We are trying to replace the Watchguard Firebox with a CISCO ASA 5505 (eventually we'd like to implement VPN).   When I connect the  CISCO ASA, I get no internet passthrough at all. 

View 1 Replies View Related

Cisco Firewall :: ASA5505 Can't Port Forward Traffic From Two External IP Addresses

Dec 30, 2012

I am a total Cisco novice who has just had a ASA5505 installed to replace a linux freeware firewall (smoothwall).I'm told that the 5505 can't port forward traffic (e.g. ssh) from two external IP addresses to two internal destination machines via the same port # (22 in this example).

View 9 Replies View Related

Cisco Firewall :: ASA5505 / 5510 - Prioritize Traffic Based On Destination IP?

Sep 25, 2012

we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?

View 3 Replies View Related

Cisco Firewall :: ASA5505 Appears To Be Dropping Traffic For Internal Network?

Jan 10, 2013

we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.

View 15 Replies View Related

Cisco Firewall :: ASA5505 8.4.2 NAT To Forward SMTP And RDP Traffic To Internal Host

Nov 26, 2011

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
 
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?

View 19 Replies View Related

Cisco WAN :: 1921 Won't Pass Traffic?

Jul 9, 2011

I can telnet to the router and ping places on the inside and outside. However when I connect a laptop to the inside interface I can ping to the outside for a bit but can't open a web page and then connectivity is gone all together. At first I thought it was a NAT issue but I know I am good on that front. I have attempted to change the speeds and duplex settings on the outside interface but it does not seem to work. Again if I take the cable from the outside interface and plug it into a laptop it works fine. The thing that makes me wonder is why can I connect to the outside interface and configure it just fine?

View 4 Replies View Related

Cisco WAN :: 877 Pass PPPOE Traffic To Another Router?

Jan 7, 2011

A PC connected to a Cisco 877 router and 877 router is connected to another router (7301) via GRE tunnel,Cisco 7301 router is a NAS server and is being used as a PPPOE server.If user create a PPPOE connection on his computer and dial with a username/pass we want to send the PPPOE traffic to 7301 router, so 877 router should pass the PPPOE traffic to 7301 and user will be able to connect,User -> 877   -> 7301(PPPOE server).

View 4 Replies View Related

Cisco WAN :: 7206 VXR Configuration To Pass MPLS Traffic?

May 28, 2013

I have a 7206 VXR router between a several Mikrotik routers on our backbone.  We have the Mikrotiks on both sides of the CIsco 7206VXR setup for MPLS/VPLS.  I need to simply setup the 7206 to pass the MPLS/VPLS tagged packets to the next router on the link.  We are using OSPF as the routing protocol.  I am told by our Mikrotik guy that I just need to enable LDP and VPLS tunnels 4:0 on the 2 gig interfaces on the 7206VXR to let it pass the MPLS/VPLS traffic.  It sounds simple but I'm not sure how to do this. 

Any commands I need to imput to allow this router to pass this MPLS/VPLS traffic. 

View 1 Replies View Related

Cisco WAN :: 3825 Router Interface Does Not Pass Traffic

Mar 7, 2012

we have a Cisco 3825 router which does not work well with a DSL  modem(ISP provided). I have configured the Gi0/0 port of the router to  plug into this DSL modem but it does not ping to the ISP gateway. If we  do a shut/no shut on the interface then it work fine for about 30 secs.  Sometimes even for 1 hr. Then the packets drop and we cannot pass any  traffic through this interface.
 
Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet.I  have tried various options like using a straight/cross cable. I have  tried to configure the interface negotiation for 100/full, 100/half,  auto/auto and almost all the options.I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.

View 5 Replies View Related

Cisco VPN :: 3900 / How To Ensure All VPN Traffic Will Pass Through Router

Jan 11, 2013

I recently upgraded from a Cisco 3900 series router to a Cisco ASR1k router. Since the upgrade, I have internal clients who claim they cannot connect to external VPNs. These internal clients are behind a NAT that routes a public IP address to a group of clients with private IP addresses.
 
How can I ensure that all VPN traffic is able to pass through the NAT? 

View 2 Replies View Related

Cisco VPN :: 2811 - SSL VPN Services / Cannot Pass Traffic To Internet

Jan 17, 2013

[OK]     Site to Site IPSec + GRE = success, no problems.
[OK]     IPSec remote access = success, no problems.
[NO]     SSL VPN = remote users can successfully connect to all internal systems. Cannot pass traffic to the Internet.
 
Hardware:
Cisco 2811, Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3) . Software: Cisco Any Connect Secure Mobility Version 3.1.01065
 
Single hub router terminating IPSec+GRE site to site, IPSec remote access, and SSLVPN remote access VPN services. All services currently configured and running successfully with the exception of the SSLVPN service. Remote users can initiate and successfully establish SSL VPN sessions. While established, connectivity to all internal systems/resources are successful. Only when the remote access client tries to connect to "Outside" Internet resources does traffic not pass successfully. Troubleshooting has pointed to a NAT related issue (I believe).
 
When connecting from a remote access workstation, utilizing IPSec remote access client (built-in Cisco IPSec client from Mac OS), the session establishes and the client works flawlessly. Examining the Cisco 2811 router, you see the /32 host route from the remote access session get installed, and you see the corresponding NAT translation entries created when the client accesses outside (Internet) resources. Appropriate configuration to implement "hair pinning" have been included to handle the in and right back out (with NAT translation) needed for remote clients to access the Internet.
 
Configured the 2811 for SSL VPN, and remote access clients can successfully connect and access all internal network resources. Examining the Cisco 2811, the /32 host route for the remote access client is installed, pointing to SSLVPN-VIF0 interface with a next hop of 0.0.0.0  When checking the NAT translation table, there are NO entries for the remote access client address created which leads me to believe the hair pinning/NAT function is not being invoked for SSLVPN clients.
 
Originally, the IPSec remote access VPN local pool was 10.0.100.0 /24. To keep from having to adjust the existing NAT translation, PBR Route-MAP for the hair pinning function - I took the 10.0.100./24 and broke it into a pair of /25 networks. Bottom half for the IPSec remote access VPN pool (10.0.100.0 /25); upper half for the SSL VPN pool (10.0.100.128 /25). By utilizing SSL VPN, is the traffic somehow bypassing the DIALER1 interface where both the crypto map (and more importantly: IP NAT OUTSIDE, and PBR configuration for the hair pinning function)? I cant explain why NAT translation entries are not being created for SSLVPN client sessions.
 
Cisco 2811 Configuration has been included. IPSec & SSL VPN Remote Access Sessions Captures (performed from same remote client) have been included.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved