Cisco Firewall :: ASA5505 - With Two Trusted Interfaces / Traffic Not Going Out Of Inside2?
Nov 14, 2011
I'm going nuts with this ASA5505. This is a secondary firewall used only in emergencies when the primary Checkpoint failes.
The basics, it has two trusted interfaces, E0/1 and E0/2-6. E0/1, inside2 has 192.168.01/29 and inside is 192.168.200.1/24. I'd like any traffic to be allowed from inside and inside2 to outside and any traffic from the inside interfaces should be routed. No restrictions should apply between the two interfaces.
inside works just fine but no traffic is going out of inside2, not to outside or to inside.
View 8 Replies
ADVERTISEMENT
Jun 12, 2011
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
View 4 Replies
View Related
Jun 13, 2012
I am fairly new to configuring ASA's. I have an ASA 5505 with one outside interface and three inside interfaces (inside1, inside2, and management). I need inside1 and inside2 to be able to talk to eachother but cannot work out how to make this happen. They are both configured to the same security level and the 'Enable traffic between interfaces with same security level' box is ticked. I have also tried adding appropriate NAT and Access rules. The packet tracer suggests the rules are correct for allowing traffic flow between interfaces but obviosly this may not be the case.
View 14 Replies
View Related
Nov 9, 2011
I trying to allow traffic between 2 inside interfaces with the same security level. VLAN1 and VLAN15. The are on different physical ports on the ASA. I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'. With this ASA version, I do not need NAT to allow this, correct?
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
View 1 Replies
View Related
Jan 15, 2013
I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:
ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....
View 9 Replies
View Related
Oct 10, 2011
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
Below is a sanitized version of the config.
ASA Version 8.2(1)
!
hostname BOB
[Code].....
View 11 Replies
View Related
Apr 18, 2013
I have a an ASA 5520 connected to a Layer 3 (3750) switch (Inside) and a connection to a 2960 switch (Outside) to get to the internet. . I have created vlan interfaces on the 3750 switch and enabled ip routing on the switch to enable the vlans to communicate with each other.
Vlan Interfaces on the switch:
Vlan 100 172.17.1
Vlan 200 172.18.1
Vlan 300 192.168.3.1
I want the devices connected to the 3 vlans to be able to pass through the firewall and get out to the internet.I have connected the ASA to the 3750 by routed interfaces (10.10.10.1) --------- (10.10.10.2) and they are able to ping each other.I have also put a default route on the 3750 sending all traffic from the switch to the ASA inside interface (10.10.10.1)The issue that i am having is that the ASA also connects to a 2960 which has a connection to the Internet, and they are handing off an ethernet connection from the 2960 that sits in VLAN 55 (Vlan 55 is the Internet accessible vlan).How do I configure my ASA to send all traffic from my (3) vlans to the interfaces that connects to the 2960 switch?
View 21 Replies
View Related
Jan 25, 2013
I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]
View 6 Replies
View Related
Nov 15, 2011
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut
[Code]....
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
View 5 Replies
View Related
Sep 13, 2011
We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?
View 3 Replies
View Related
Mar 12, 2012
I have an ASA-5505. [code] I have an Exchange server on the 10.10.10.0 network. I need to be able to allow Active-Sync and OWA from the Guest WiFi through to the Exchange server on the 10.10.10.0 network. The Guest Wi-Fi uses external DNS so traffic is going out to the Internet and getting an IP address which is of course assigned to the Outside interface abd trying to come back in on that interface.How do I make this do what I need? How do I setup the rules to allow this traffic?
View 2 Replies
View Related
May 15, 2012
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
View 8 Replies
View Related
May 20, 2011
I have ASA5505 with bese-license. I like to install proxy sever in my network and i want redirect traffic to the proxy server.
Below i added configuration in my firewall.
ASA(config)#access-list wccp-servers permit ip host 192.168.6.10 any ASA(config)#access-list wccp-traffic permit ip 192.168.6.0 255.255.255.0 any ASA(config)#wccp web-cache group-list wccp-servers redirect-list wccp-traffic ASA(config)#wccp interface inside web-cache redirect in
furher configuration and if this configuration is enough, then how to check whther its working or not in my firewall.
View 1 Replies
View Related
Oct 25, 2012
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
View 15 Replies
View Related
Jul 23, 2012
I've just bought a ASA 5505 to project my LAN. I've already use Cisco router in the past but it's the first time with ASA line.Everythings work except one major point, the return traffic is blocked by the system… I don't really understand how the zone based firewall is supposed to work but it seems OK by default, my LAN side is allowed to talk with the Internet but Internet is not allowed to directly call my LAN. The NAT is setup to use the IP of my outside interface.When I try to ping a public server, the ASA debug log show me that the communication can go out the network, with the good translation, then go back to the ASA from the public server and here, the ASA block it because the communication is not allowed.I've only found two workaround:
-allow inside trafic with static rules, and I say NO ;
-disable the zone based feature by settings all zone to the 0 level…
How I'm supposed to make my state-full firewall work with zone based feature?
View 3 Replies
View Related
Sep 17, 2011
I have two attachments that show my basic network layout. I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place. I can also get from Workstation 2 to Workstation 3 just fine. But I'm having issues when I try to get from the VPN client to Workstation 3... What would I need to do enable to get to Workstation 3 from the VPN client? IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.
View 10 Replies
View Related
Mar 10, 2011
I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years. In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity. Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA. It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
I have tried the following without success:
1) I completely wiped the configuration (configure factory-default)
2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex). It was previously set to be auto-negotiation (default) on both speed and duplex. As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.
View 13 Replies
View Related
Dec 30, 2012
I am a total Cisco novice who has just had a ASA5505 installed to replace a linux freeware firewall (smoothwall).I'm told that the 5505 can't port forward traffic (e.g. ssh) from two external IP addresses to two internal destination machines via the same port # (22 in this example).
View 9 Replies
View Related
Sep 25, 2012
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
View 3 Replies
View Related
Jan 10, 2013
we have a Cisco 2901 as a router on a stick for several vlans. Everything on the segment routes fine and accesses the internet just as they should. The 2901 connects to an ASA5505 on port 0/1. Any host connected to the ASA5505 can access the internet, but can not ping into any of the vlans off of the 2901. The strange thing is on either segement of the network I can ping all of the gateways. What is even more strange is when I run wireshark from behind the firewall going into the 2901 I can not see the packet on another wireshark instance behind the 2901. However if I start a ping for a host host behind the asa I can see the packet in wireshark on the host, which I am trying to ping, hit the gateway.
View 15 Replies
View Related
Nov 26, 2011
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
View 19 Replies
View Related
Nov 1, 2012
I have an ASA 5505 with 3 host license.I want to configure 2 outside interfaces and have inside interface. The outside interface going to a separate ISP.Will this work or do I need more licences?
View 3 Replies
View Related
Jan 28, 2013
I would like to ask a question about the setup that I'm trying to implement.I've got two WICs, 3G and LTE, in the router, one has its static IP address using 3G network, and another one has negotiated IP address using LTE network.There is no physical circuit/connection coming in to this place.Let say 3G network is (A.A.A.A|Cellular 0/0/0), and LTE network is (Negotiated IP|Cellular 0/1/0).There are two different network coming to the router. Let say they are 10.1.1.0/24, and 10.1.2.0/24,I want to route 10.1.1.0/24 traffic using 3G Network A.A.A.A Cell0/0/0,and route 10.1.2.0/24 traffic using LTE network, Negotiated IP Cell0/1/0. We're talking about only the default routes here.
View 1 Replies
View Related
Sep 12, 2012
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
View 14 Replies
View Related
Nov 15, 2011
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
View 21 Replies
View Related
Mar 6, 2012
How to force traffic back out the same interface from whence it entered. Review the following topology.
Internet ---> ASA 5510 ---> Static IP1 ---> F3.1 ---> 1811 F0
|-------> Static IP2 ---> F3.2 ---> 1811 F5 ---> VLAN Int
ASA F3.1 10.1.254.9/30
ASA F3.2 10.1.254.13/30
1811 F0 10.1.254.10/30
1811 F5 10.254.1.14/30
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
View 1 Replies
View Related
Jan 14, 2013
We currently installed a 100Mbps fiber line with Ethernet hand-off. I purchased a Cisco 3925 ISR to be the gateway for this connection. I am not going to use it for any security purposes. I have an ASA5520 that will do that work. Right now I am currently just trying to get the router online.
I know the following
Laptop <--->GB 0/1((()))GB0/0<---->Ethern
et handoff from ISP.
I can ping and SSH to the outside interface of the router from outside the network. I can also ping and SSH to the router from the laptop that is directly attached to the routers GB0/1 port. From the Router's CLI I can ping IP addresses on the internet. From the laptop I can not. I can not access the internet through the router though. Here is my config.Building configuration...
Current configuration : 3724 bytes!! Last configuration change at 02:17:03 UTC Tue Jan 15 2013 by ggsis! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsisversion 15.1service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname XXXNAMEXXX!boot-start-markerboot-end-marker!!logging buffered 51200 warningsenable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX!no aaa new-modelmemory-size iomem 20!no ipv6 cefip source-routeip cef!!!!!no ip domain lookupip domain name XXXXXXXXXXXXXXDomainXXXXXXXXXXXmultilink bundle-name authenticated!!crypto pki token default removal timeout 0!crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXXXXXenrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXXXrevocation-check nonersakeypair TP-self-signed-XXXXXXXXXXXXXX!!crypto pki certificate chain TP-self-signed-XXXXXXXXXXXXXXcertificate self-signed
[code]...
View 10 Replies
View Related
Apr 17, 2012
I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
View 1 Replies
View Related
Nov 27, 2011
I have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies
View Related
Jan 29, 2012
We are going to be setting up a remote access VPN to a Cisco ASA 5505, once connected to the VPN the internet traffic from the client will then go back out to the internet from the ASA (for web browsing), but Is there anyway to force the traffic through an AV server at the head office site before the traffic goes back out to the internet?
View 5 Replies
View Related
Apr 23, 2012
I am trying to configure dual ISP on my ASA5505.I have everything configured and working when eth0/0 is connected, but when I disconnect it, it doesn't route any traffic.The static route for the primary isp is removed and the static route to the backup isp shows up, but no traffic goes in or out. I should note that I'm doing this as a proof of concept so eth0/0 is connected to a router and eth0/1 is connected to another router. [code]
View 7 Replies
View Related
May 20, 2012
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
View 3 Replies
View Related
Apr 6, 2013
I have a working L2L between two locations. Location A and Location B.
Location A: 172.16.16.0/24
Location B: 192.168.0.0/24
I would like to block anything inbound to Location A from Location B that isn't initiated from Location A. The block should be done on the ASA5505 at Location A. Location B uses an ISR G2 router. i.e. Location A can start an SSH session to a server in Location B Location B cannot start an SSH session to a server in Location. .
I tried using a VPN filter on the ASA5505 but it isn't stateful, I cannot pass any traffic when using it.
Config on my ASA:
access-list vpn-traffic extended permit ip 172.16.16.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list block-vpn-to-local extended deny ip 192.168.0.0 255.255.255.0 172.16.16.0
[Code]....
I also have an AnyConnect VPN setup for the ASA5505 and it is running 8.2(5).
View 4 Replies
View Related
