Cisco Firewall :: ASA5505 With Base License - Access From Dmz To Internal
Dec 18, 2011
we have a cisco ASA5505 with base license and 3 interface configured. Internal 192.168.1.1/24 DMZ 172.16.0.1/24 Outside 20.20.20.20/24 The DMZ is configured to allow the traffic pass to the outside interface only (base license allow only traffic to one interface) in order to let clients on this network to browse internet. On the outside interface there's a nat configuration that let the port 443 to be natted to an in internal server. Is it possible to let the clients in DMZ to access to the internal server on port 443 from the outside interface?
We have purchased an ASA 5510 with CSC module. Unfortunatelly, white envelope with PAK for activation a Base License was lost before we managed to register it.
I am working on ASA 5505 with Base License that uses 3 VLAN's.
-My VLAN 1 is for used for my home network. -VLAN 2 is connected to the public Internet and my IP gets assigned by ISP dynamically. -VLAN 3 is DMZ where I will have few VM's that would need access to and from the Internet.
I am looking to work with following:
1) 172.16.0.2 that sits on DMZ will need to access public Internet over port 80 2) Permit access from the Internet over port 3389 to 172.16.0.2 3) Permit any host on private VLAN (192.168.0.0 network) to access 172.16.0.2 over the port 3389 4) Permit second VM on the DMZ VLAN let say 172.16.0.3 to access public Internet on all ports. Access in to this host is not permitted. 5) For some reason DHCP hosts are NOT getting DNS (8.8.8.8) entry when IP hets assigned or renew. I have a statements below but it is not working.
Also, if ACL rules for VoIP are written correctly. The goal is to permit these ports (SIP related) to access VoIP router. [code]
I'm tring to setup a DMZ for a guest wireless off of a 5505. So this device has a base license. It has vlan1 and vlan 2 for inside and outside.Another vlan is configured to be a failover for the currently active wan connection. It is using the "no forward interface" command.Can I add another vlan as a DMZ if I use the "no forward interface" command? [code]
I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.
Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.
I had a DMZ set up but since there was an intrusion into my network, I am building it again.
I have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
Well, I tried using the cisco configuration for ASA 5505 for blocking P2P: url...but this configuration only is usefull with programs like Kazaa, so I try this configuration to block ARES but the problem is that ARES try to make downloads from different ports, ¿How do I block ARES if there are sereveral ports ?
I have a base 5505 and would like to get AnyConnect working. To do that, would I have to first purchase either an essentials or premium license and then purchase the AnyConnect Mobile license?
we have a customer with a ASA 5510 with a CSC module in it. The device tells us the Base license has expired. The new license has been renewed - after - the grace period. The Trendmicro site tells us the Base license is valid until 21 october 2013 but the CSC refuses to acknowledge this. The module is able to fetch updates form the Internet so it does not look like a connection problem to me (it also has a plus license which is also valid till far into 2013 and that one works).Is it possible that the current license key is "dead" and the CSC expects a new license key because the grace period was expired?
I have a LAN with multiple VLANs connected through Catalyst 3750 with IP Base image. In IP Base the router only supports PIM stub multicast (no PIM multicast routing),But I have an ASA connected to the internal router and to the internet router.Asa supports PIM multicast routing and can act as PIM RP. With this configuration, is there a way to configure an internal multicast network? That is a multicast server in one internal vlan (VLAN 1) and multicast clients in VLAN 2. Both VLANs connected to the C3750 router.
I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity. Can i do NAT of more than 10 users with this license? What i understand is NO.
But as per Below explaination looks like, i can if i am not doing default routing? Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?
I have Cisco ASA5505 8.2(5) connected with Cisco 5520 8.2(1) via IPSEC tunnel, I was able to SSH from the inside 5520 to inside IP of the asa5505. but I after I upgrade the license to security plus at 5505 I lost the SSH and ASDM to inside IP of 5505 from the inside network of the 5520. however I still can use SSH and ASDM on outside IP of 5505.
I did a lot of testing to make it work but I couldn't I added SSH 0.0.0.0/0 inside and outside also I added acl on both interfaces. when I did a trace on the outside interface from the private network of 5520 to 5505 inside IP I got IPSEC spoofed by the way that trace only works with security plus because I try to test on all my other firewalls 8.2(5) it shows nothing and all my firewalls can accessed from the private network 5520 except the one with the security plus!
I have a spare ASA5505 w/Base License that we want to use as the router/firewall between our wi-fi network and our secondary internet connection. Currently we have a NetGear box as the router there and it is on its last legs. In order for the ASA w/Base license to be able to issue over 150 IP address via DHCP which license do I need to purchase for it.
I want to confirm if the upgrade license (ASA5505-SW-10-UL=) is backward compactible with PIX 501 firewall device? though pix 501is end of life bit i want to verify if the upgrade license for asa5505 will work with it?
a client of ours bought an ASA5505-BUN-SEC-K9, and it was working fine, for some reason (beyond me) they flashed the memory and configuration in an attempt to fix smoe problems they were facing. Now they are faced with the dilema that the SEC license is no longer visible and usuable, so how can they recover this license knowing that they have bought the bbundle mentioned above?
i've checked in on one of our 5510's and also on a 5505 but i don't seem to find the license duration (i.e "perpetual).is this normal or just an IOS or platform specific? [code] Cisco Adaptive Security Appliance Software Version 8.2(5)
My cisco representative tells me that I am limited to 10 IP addresses for my 10 user license on an ASA 5505 even though the Cisco documentation specifically states that a 10 user license allows the maximum DHCP clients to 32 IP addresses.
I want to have 30 computers get IP addresses from the ASA, but don't need any but one or two to get outside the internal network. Is this possible with a 10 USER license.
My cisco representative tells me that I am limited to 10 IP addresses for my 10 user license on an ASA 5505 even though the Cisco documentation specifically states that a 10 user license allows the maximum DHCP clients to 32 IP addresses.
I want to have 30 computers get IP addresses from the ASA, but don't need any but one or two to get outside the internal network. Is this possible with a 10 USER license.
I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool. From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN. I am available at any time if further information is needed. find attached my ASA config.
We have an internal DNS server that all internal hosts do lookups to .. these requests are forwarded onto open dns for anything the dns server isnt authoritative for.. My question is we have purchased the botnet filter and this requires the asa5505 dns client to be active on at least one interface .. Should i point the asa dns to an external IP such as 8.8.8.8 and apply DNS enabled on interface outside ( am using asdm) I don't want the ASA to control DNS for our internal clients we already have a internal server for this, i DO want the asa5505 to check dns packets against its botnet filter, whilst still using open dns for forwarding.
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver 10.50.15.5 > domain controller (exchange) 10.50.15.6 > terminal server 10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
ASA 5505 Firmware 8.3(4), ADSM 6.4(2).I have a public IP address of 168.87.3.4.I need to forward ports (5060, 5080, etc.) to one internal address. (192168.1.1).I need to foward different ports (10020-10080) to a different internal address (192.168.1.2) Everything I read tells me how to do this in a 1 to 1 static NAT.
We are trying to migrate WCS base license to NCS 1.1 .We have procured the migration license .In the licensing guide , it is mentioned as "L-WCS-NCS1-M-K9 License first, before adding the licenses migrated from your WCS installation"
1)Whether we need to add this migration license in WCS before genrating XML file or
2)Before adding XML file in NCS we need to add this in NCS ..
I currently purchased, Cisco 1941/K9 with 2 onboard GE, 2 EHWIC slots, 1 ISM slot, 256MB CF default, 512MB DRAM default, IP Base.
Questions
1. With IP Base License, will I be able to run Frame Relay? I really need reference on what works and what doesn't between these different technology package licenses ? Actually frame relay is running on it right now, hope it doesn't suddenly stop after 60 days...
2. As I understand in order to run MPLS, I will need to upgrade to Data License "SL-19-DATA-K9". Since, I already have a Cisco 1941 to upgrade it, I need to order a spare license / paper PAK?
3. Does the IP Base License support site to site IPSEC VPN or do I need to purchase a security license "SL-19-SEC-K9"
4. Can I have both security and data license activated on the same device ?
5. If I do activate security or data license will I be able to use the IP Base features at the same time?
6. If I purchase a new Cisco 1941 with Data or Security License do I need to purchase the IP Base License then upgrade the license?
7. Is the 1941 suited for voice application routing ?
I am having a ws-3750x-12s-s switch . I want to upgrade it from ipbase to ip service. after installing ip service liciense file, when i gave command " show license detail" i found there 3 index . one is for ip base -active (permanent) ..2nd is for ip service-active(permanent) 3rd is again ip service but inactive( period 8weeks 2days) , then i cleared 1st one by giving command "clear ipbase" and reboot. but still 2 index .both for ipservice one is permanent-active another is inactive . so my question is how can i remove 2nd index which one is inactive and time period for 8weeks and 2days..?? becasue i don't need it. and it will make any problem in future ?
I am bringing up a 3750x and a 2911 to replace a 3745 router with switchport module. I was plannng on moving all the VLAN interfaces off the 3745 onto the 3750x and turning up EIGRP. I discoved the 3750 has the LAN Base license, so I can't run eigrp off of it. My question or worry now is, will the LAN base license prevent the switch from doing interface VLAN routing between the different VLAN's configured on it or will I have keep all the VLAN interfaces on the new router and just have a router on a stick setup?