I'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]
View 1 RepliesI have been working on figuring out a VPN problem on my companies ASA5510. I was accessing the device via: ASDM, SSH using Putty, and even initially with a console cable (also using Putty) using a computer in the networking closet. All 3 of these access methods worked properly for me.I believe I may have inadvertently changed something as of Friday using ASDM. I am mostly assuming this because, as of yesterday I can no longer connect to the device. I actually cannot even communicate with it (ping the interface I normally use to manage, which I could previously ping). No computer on the same subnet as me is able to ping the interface. The device is still accepting VPN connections, dishing out DHCP addresses and everything else it normally does, but I really need to be able to gain access to it again. I am thinking to reboot the device when there is some downtime, in the hopes that ASDM doesn't save to startup-config and only to running-config.
View 5 Replies View RelatedI would like to setup a VPN to allow employees nomad that connect to our network from outside. Our router is a Cisco SA520 I tried different configurations without success ...Here is the current VPN configuration:I created my users IPSec, I can connect remotely, but I do not have network access ... Unable to access network shares, impossible to ping.
View 1 Replies View RelatedI am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
I cannot seem to determine exacly why I am not able to ping from the inside to outside using the standard 100/0 security levels respectively. I am dynamic natting the inside to the outside interface, something I don't usually do but cannot see why ICMP's are not passing through.
The Packet trace tool says there is something in the ACL but there really isn't.
Is there simply an issue of Natting to the WAN interface on a 5510?
We currently have a central hub using an ASA5510 and then a few site-to-site VPN connections to our support staff homes. The devices at the homes are Cisco routers. We were running version 8.25 on the ASA and all was working fine. We recently upgraded to version 8.42 and although all the functionality of the network is ok and it does what it should, our support staff cannot ping, ASDM or telnet to the ASA inside interface anymore whereas they could before the upgrade. The home VPNs all run on a 10.30 subnet (i.e. 10.30.1.x, 10.30.2.x etc etc). I can post our config (security edited of course), but it is quite a big config. The command management-access inside is specified and the 10.30.0.0/16 subnet is permitted to ASDM and Telnet. Are there any extra things that have to be done in version 8.42 to get this to work as the support staff do have to access the firewall for configuration purposes. At the moment, they have to telnet to one of the routers on the local LAN and then Telnet to the firewall from there.Prior to the upgrade, they were all able to ping the inside ASA interface and also telnet and HTTPS to it from their PCs at home. Now they cannot and the only change made was an upgrade to 8.42. Immediately after the upgrade none of them can ping the interface anymore and it seems it can only be accessed from the local LAN. I cannot find any access-lists that might be blocking the packets so can only assume it's something in the way 8.42 works.
View 8 Replies View RelatedI have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.
View 7 Replies View RelatedWe use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well. However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We could deploy a proxy server in the wireless DMZ to make all the wireless devices appear to web filter as a single IP, and apply a single policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?
View 1 Replies View RelatedI have a fresh out the box asa5510 with 8.4 on it.I have built these before but for some reason cannot get this one to work. I am consoled on, have applied the following config but can still not ping to or from, can not asdm, cannot http/s. Arp table shows device it tries to ping, but device trying to pping it has incomplete arp entry. [code]
View 7 Replies View RelatedOur ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.
Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?
View 4 Replies View RelatedI try to SSH and get access denied.
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
login as: test
test@172.16.252.100's password:
Access denied
[Code].....
We have a Cisco ASA 5510 with:
-version: asa845-k8.bin
-ASDM: asdm-711-52.bin
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedI am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else. Is this correct?
I only configured one internal port and it is the path to my LAN. I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process. Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1. If I open ASDM and connect thru the management port and select Configuration/Device Management/Management Access/ASDM/HTTPS/Telnet/SSH
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address "10.1.1.0"
Mask "255.255.255.0"
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA?
I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.
We have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also, interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.
In this case why to make tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface if name command to dis load devices and network by foolish tests?
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing
View 1 Replies View RelatedI cannot seem to ping from the outside of my 5520 firewall to an inside network. I have a single physical outside interface connected to a Layer 2 switch, with a laptop connected to it. This is on network 10.11.131.0/28. From there, I cannot ping to the inside interface (which is a sub interface on G0/0) with network 10.11.130.0/24/ For some reason, it doesnt work.
Now. I had access-lists in place, but have removed them for testing and it still doesnt work. I have set the security level of inside and outside to 100, and entered the same-security-traffic permit inter-interface command - still no joy. Below is the relevant configuration.
Inside Interface
interface GigabitEthernet0/0.96
description L3 Interface - Informational Zone
vlan 96
[Code].....
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network I have looked for ASA documentation through the internet and still got nothing.
the config are:
: Saved
:
ASA Version 8.2(1)
!
[Code].....
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies View RelatedI ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
View 5 Replies View RelatedI have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
[code]....
So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on. I got everything setup and tried to connect. However, I couldn't connect to either. I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up. I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface. I can ping the outside interface and can ping the internet from the ASA. I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues. Part of me wonders if the ISP has something set up to block inbound traffic. This should be a business class connection.
One of my client has BSNL leased line with LAN IP POOL we configured those on ASA 5510 nad Internet working fine but from cloud we are not getting any response for ping requiest please find running configuration below:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(1)
[Code]....
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.