Cisco Firewall :: ASA5510 / How To Hide All IPs Behind An Interface
Dec 17, 2012
We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We could deploy a proxy server in the wireless DMZ to make all the wireless devices appear to web filter as a single IP, and apply a single policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?
Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?
I'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]
We have a Cisco ASA 5510 with: -version: asa845-k8.bin -ASDM: asdm-711-52.bin
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.
I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD" select access type "ASDM/HTTPS" select interface "internal" IP Address "10.1.1.0" Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
I have run out of public facing IP addresses and I need more. Assuming I have been issued 184.108.40.206/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 220.127.116.11/24 range.
i.e.existing config route 0.0.0.0 0.0.0.0 18.104.22.168 (upstream ISP) Interface outside ip address 22.214.171.124 255.255.255.0 NAT 126.96.36.199 to 10.1.2.3
or, assume my ISP will deliver 188.8.131.52 to my outside interface (184.108.40.206.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside. or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 220.127.116.11/27 = 18.104.22.168 to 22.214.171.124 Outside interface = 126.96.36.199/27
Can I use 188.8.131.52 and NAT it to an internal server?
Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also, interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.
In this case why to make tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface if name command to dis load devices and network by foolish tests?
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside e0/1 = inside m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
on the outside interface i cant perform the command ip address dhcp setroute.I get the error: IP and subnetmask form invalid pair indicating broadcast or network address.The commands are there when I do the ? command. It just will not accept the command with or without dhcp.I am trying to test an ASA-5510 as a 4G failover to our ASA-5520. This is Verizon's solution but they did not provide IPs, they use passthru on the 4G modem so I'm trying to set up dhcp. It worked a few days ago. Not sure what Im missing. The IP I got last time from Verizon was 192.168.0.199.
I currently have an ASA5510 with 2 interfaces (outside and Inside) running remote VPN for clients and L2L VPN for a couple of sites. I have traffic entering the inside interface, matching interesting traffic, being wrapped up in IKE / IPSEC and sent out via the outside interface. All straightforward so far.Now I have a new VPN which is required to go over another interface and not the outside. The traffic comes in to the inside interface as normal and should be matched via ACL, encrypted and sent out th e new interface however the traffic is simply sent out of the outside interface and doesn't get any IKE headers. If I reconfigure the interface to be be the outside it does at least match the ACL, wrap it up nicely in IKE and try to get to get to the remote peer.My questions are why does this behaviour occur and why isnt the traffic marked interesting and sent out the new interface.I don't have any issues creating a new VPN if I want it to go external, I just add the required information to the outside_map but i need the traffic to be encrypted and sent over another interface. I not a huge fan of the GUI for this but I've tried both CLI and GUI with the same results.
i have a strange issue on a link between two ASA5510: both ASAs are interconnected by a P2P Fastethernet link, and the traffic between both ASAs is being secured by a L2L IPsec tunnel. The configured MTUs are 1500, however packets bigger than 1020byte are being dropped. IOS is 8.0(5). I didn't find so far any CAVEAT describing it.
Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface. So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.
I have a scenario where there is an ASA5510 configured as follows:
Interface0 = Outside Interface1 = LAN Interface2 = DMZ Interface3 = unused Running ASA version 8.2
All network operations are fine, as are the IPSEC tunnels to other branch offices, and the incoming SSL VPN accessed via the IP address assigned to the external adapter.
My problem is that I have a device on the DMZ that needs to access the AnyConnect service hosted on the external adapter so that it can access LAN resources. When I try accessing it, I see the following errors appearing in the debug log:
3Dec 03 201212:10:50710003[DMZ client address]51031[AnyConnect ExternalAddress]443TCP access denied by ACL from [DMZ client address]/51031 to DMZ:[AnyConnect ExternalAddress]/443 If you look closely, it suggests an ACL issue from the DMZ client to the external AnyConnect IP address BUT it suggests the Anyconnect IP address is on the DMZ interface.
I have been working on figuring out a VPN problem on my companies ASA5510. I was accessing the device via: ASDM, SSH using Putty, and even initially with a console cable (also using Putty) using a computer in the networking closet. All 3 of these access methods worked properly for me.I believe I may have inadvertently changed something as of Friday using ASDM. I am mostly assuming this because, as of yesterday I can no longer connect to the device. I actually cannot even communicate with it (ping the interface I normally use to manage, which I could previously ping). No computer on the same subnet as me is able to ping the interface. The device is still accepting VPN connections, dishing out DHCP addresses and everything else it normally does, but I really need to be able to gain access to it again. I am thinking to reboot the device when there is some downtime, in the hopes that ASDM doesn't save to startup-config and only to running-config.
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (184.108.40.206) so what my access list to be configured? and what my subnet mask shoud be there?
Pix(config)#access-list outbound permit tcp 220.127.116.11 255.255.0.0 any eq 80 Pix(config)#access-list outbound permit udp 18.104.22.168 255.255.0.0 any eq 53 Pix(config)#access-group outbound in interface inside
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
I have configured a L2L VPN on a Cisco 1841 ISR. I am statically NATing some of my internal hosts to IP addresses that are included in the encrypted traffic. Please note that not all of the internal hosts are being NATed. I am doing this to hid some of the real IP addresses on the inside network. I have confirmed that the VPN works, as well as the NATing of the VPN traffic. I have traditionally configured L2L VPNs on Cisco ASA 5500 series appliances, and this is my first attempt with the 1841 ISR. I just want other to take a look a see if I missed anything, or, could I have done some of the configuration more efficiently. All comments are welcome.