My VPN users are able to access IPV4 resources, but not IPV6, all of my other user who are not VPN users are able to access everything V4 and V6. So my network goes:
IPV4 flow = FIOS > ASA5505(IPV4 Router) > Switch > ipv4 Clients
IPV6 flow = FIOS > ASA5505(IPV4 Router) > switch > win2k8 (IPV6 Router / Tunnel) > ipv6 clients
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity. Can i do NAT of more than 10 users with this license? What i understand is NO.
But as per Below explaination looks like, i can if i am not doing default routing? Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?
How can I filter my local lan's URL requests? Is it possible to have some sort of list like...
Default_User_Group
*.microsoft.com/*
*.mydomain.com
*.google.com
Then only allow certain ip's access to the entire internet like this...
Internet_User_Group
It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.
I say the answer is ten. That means ten hosts can be behind the firewall and hit the internet. The eleventh doesn't get to go out. I'm being told by a coworker that the "10" in the part number refers to the number of IPsec VPN peers.
Who's right?
I say if you want an unlimited number of users on the inside to be able to get to the internet, you need the ASA5505-SEC-BUN-K9
Mfg. Part: ASA5505-SEC-BUN-K9
Mfg. Part: ASA5505-50-BUN-K9
Mfg. Part: ASA5505-BUN-K9
Cisco ASA 5505 10-User Bundle includes 8-port Fast Ethernet switch, 10 IPsec VPN peers, 2 Premium VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license ASA5505-BUN-K9
I have a ASA5505 and setup SSL VPN. My users can connect to the VPN but can't get access to any of the internal servers.
View 3 Replies View RelatedI´m trying to upgrade a Customer's ASA 5505 base license from 10 to 50 users (ASA5505-SW-10-50=). But the reseller sent a ASA5505-SW-50-UL= license instead. I tried to register that license and the following messaged appeared.
Wrong Sku(s) 'ASA5505-SW-50-UL=' for 'ASA5505-K8' : Device contains following licenses 'ASA5505-SW-10,ASA5500-ENCR-K9'
Serial Number = JMX1235Z0TZ
same platform type as the failed serial number. An upgrade request is not allowed. open a Service Request using the TAC Service Request Tool at [URL].As an alternative you may also call our main Technical Assistance Center at 800-553-2447.Sincerely,Cisco Systems Licensing.
I tried to contact TAC for assistance but It's not possible because that kind of service is outside the parameters of the service contracts associated with my cisco.com profile.
I am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity. My access list appear to be correct to I'm sort of at a loss.
[code]....
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
I could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server.
View 4 Replies View RelatedI need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies View RelatedI am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
i have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?
View 1 Replies View RelatedI'm having several issues with IPv6 and ZBF. I've narrowed one of them to a very simple setup. I tried 15.1(4)M in GNS2 and 15.1(4)M3 on a 1812.
The setup is
[PC] ----- [R1] ------ [R2]
R1 and R2 are interconnected by IPv6 only and there is a tunnel over that link to carry IPv4 from R2 to PC.
And I'm trying to ping PC from R2 with IPv4. We're looking at the R1 config mainly. (the other are included for completeness)
When I try to ping the PC from R2, I get this on R1 console:
%FW-6-DROP_PKT: Dropping icmp session [::]:0 [::]:0 on zone-pair zp_vpn_to_lan class cm_icmp with ip ident 0
Which really doesn't make much sense because zone vpn and zone lan are purely IPv4 and should never see IPv6 traffic as such ...
If I remove all ZBF related config, then traffic flows without problem.
R1 config
class-map type inspect match-all cm_icmp
match protocol icmp
policy-map type inspect pm_icmp
class type inspect cm_icmp
inspect (code)
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
View 14 Replies View RelatedI purchased the license P/N: ASA-CSC20-250U-1Y with Description: ASA 5500 CSC-SSM-20 250-User License Only Renewal (1-year)
But I had a mistake because I need support to 500 users. Now, to solve my mistake I want to know Do I can purchase another ASA-CSC20-250U-1Y to provide the 500 users suppor?
I mean, ¿are two (2) ASA-CSC20-250U-1Y equivalent to the 500 user license listed below?P/N, ASA-CSC20-500U-1Y with Description: ASA 5500 CSC-SSM-20 500-User License Only Renewal (1-year)
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedInternet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
below is my sanitized ASA 5510 config. got an IPv6 T1 from at&t and im unable to pass any traffic from my LAN clients out.
:
ASA Version 8.2(2)
!
enable password PoBmYYxuAzCciKRA encrypted
[Code].....
At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
View 1 Replies View RelatedWould like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.
I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .
Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!! None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.
For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
I have switch cisco 2960 ,When you boot it displays the message that is unknown for me.
View 4 Replies View RelatedI set up a cisco 2811 to replace a netgear router at the office. I have nat set up and with ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.
Lets say for reference purposes my ip addresses for internet is
internet
55.34.23.43 /24
email server
192.168.10.252 /24
web cam application
192.168.10.10 /24
8000 in
8001 out
I am using ASA5505 and I would like to block certain websites such as facebook.com on some users only
View 3 Replies View RelatedThere are 10, 50 and unlimited users profiles for the ASA 5505, reason for that restriction? Does that mean for example that only 10 users can go through a 10-user 5505?
View 6 Replies View RelatedI just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
[code]....