Cisco Firewall :: ASA5510 Post And Pre 8.3 NAT And ACLs
Aug 30, 2012
In the near future I plan on updating all of my firewalls to 8.4, currently we're on a mix of 8.0 and 8.2. I've heard that if your equipment is on 8.2 there's an auto-conversion feature when upgrading to 8.3. However, I do not want to rely on that and am trying my hand at re-writing the NAT and ACLs myself. Attached is my pre 8.3 ASA 5510 config (santized) and a document that shows the particular sections pre 8.3 and what I think they should be after the upgrade.
View 1 Replies
ADVERTISEMENT
Jun 1, 2011
I have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. [Code] ......
View 8 Replies
View Related
Mar 17, 2012
working config with least amount of code for:
IOS post 8.3
Subnet: 192.168.1.0 /24
Static NAT (from any source) to server 192.168.1.100 and allow the same incoming connections on outside interface
Ports:
TCP 20,21
TCP 80
UDP 50000-50020
View 1 Replies
View Related
Jan 23, 2013
I'm almost afraid to post since my stuff is so OLD! I have a 350 Series PCI Wireless LAN Adapter in my old WinXP, not wireless-ready Compaq.I live off the grid, no landlines and have been using a Franklin CDU680 USB air card to connect to the Internet. The air card doesn't like my Compaq - occasionally crashes it. I thought to put the air card in a router to solve the problem and communicate with the router using the Cisco 350. Bought a Cradle Point router from my ISP and plugged in the Franklin. Then spent the next 5 days trying to get the Cisco 350 to associate with the router.I now have a profile with the router's SSID in it that according to the ACU's status report is associated with that SSID. Problem is that there is no Internet connection.
View 4 Replies
View Related
May 25, 2011
Currently a customer has all theLAN devices using a router as the Default Gateway. The router also do the Dynamic NAT to the internet access and has NAT/PAT rules to publish some services like HTTP and FTP. As I know the router will permit all the incoming traffic in all its interfaces without restrictions at less there is an ACLs that restrict the incoming traffic on an specific interface.Now the customer has bought a brand new ASA and wants to use it as the default gateway for the entiery LAN. This means, the ASA will have the internet connection and will be the responsible for the NAT/PAT process.
I have configured the NAT/PAT rules already following the current router configuration, but I need to know if I have to configure ACLs allowing the incoming traffic on th Outside interface for the services I NATed.
View 1 Replies
View Related
Feb 27, 2013
I'm having a bit of trouble determining the best way to do this... I have 12 V LAN's set up (sub interfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other V LAN's.
By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's sub net) to any" rule, but this seems to imply that it allows access to any v LAN. Do I have to create a set of "deny" rules for each V LAN, on each V LAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?
View 2 Replies
View Related
Dec 27, 2011
In my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
View 1 Replies
View Related
Aug 18, 2011
It is my understanding that ACLs can only be bound to logical interfaces using the access-group command. However, is it possible to somehow apply ACLs simply based on the ASA's local Ethernet interface? For instance, consider the following:
Device A with IP 192.168.1.1/24 is connected to Ethernet0/0 on the ASA. Device B with IP 192.168.1.2/24 is connected to Ethernet0/1 on the ASA.
Since both devices are in the same subnet and presumably the same VLAN, is it possible to manipulate the traffic to and from physical Ethernet interfaces using ACLs in this manner?
My predicament is fairly simple:
Internet --- ASA --- ROUTER
|
DMZ
In addition to NAT, VPN, and various other tricks, my ASA is also routing traffic from my internal LAN and the Internet to servers in the DMZ configured on the ASA. Due to a combination of Internet and DMZ traffic, my relatively slow ASA is struggling to route and thus becoming a bottleneck. My router is comparatively modest in terms of functionality when compared to the ASA but it is fast. My ideal solution would be to somehow harness the ASA's filtering capabilities for my DMZ but use the router to get traffic to and from my internal LAN into the DMZ without using the ASA to route it.
Additionally, it is worth noting that my DMZ is fairly restrictive so using protected or isolated ports would not quite work for me.
View 1 Replies
View Related
Sep 22, 2011
I implemented an ASA5505 on an access switch on a network with a single data vlan1. When I put the device online, none of my ACL's were being matched.
View 3 Replies
View Related
Jan 15, 2013
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice
View 4 Replies
View Related
Sep 25, 2011
I want to restrict outgoing traffic. Currently the deafault any, any IP allows all traffic from the inside to the outside.
So I created some rules to only allow HTTP and HTTPS. First I configured a rule to allow all DNS (TCP 53) traffic out. Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
When I apply and try to surf out to the internet from a box on the inside network I cannot. Remove the rules which returns the default any, any IP and traffic flows.
Packet tracer shows that the traffic should flow. And I have had minor traffic flowing but slow.
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure? I realize this is probably a very simple thing, but I only configure the ASA about once every year!
View 3 Replies
View Related
Aug 23, 2011
I have found this in documentation (the same statement for version 8.3 and 8.4):
" Access Control Implicit Deny #All access lists (except Extended access lists) have an implicit deny statement at the end, so unless you explicitly permit traffic to pass, it will be denied. For example, if you want to allow all users to access a network through the ASA except for one or more particular addresses, then you need to deny those particular addresses and then permit all others. "
Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features [URL]
View 5 Replies
View Related
Aug 28, 2011
I have an ASA 5505, firmware 7.2 (4). Configured ACLs, NAT, it's all working, but after a while it seems that running crashes, no longer makes the directions of NATs, the logs until they stop working. To resolve, I have to restart the ASA, and everything will work again.
View 2 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Jun 11, 2012
I am able to ping from Switch to firewall inside ip and user desktop ip but unable to ping from user desktop to FW Inside ip.. config is below for both switch and FW Cisco ASA5510....
TechCore-SW#ping 172.22.15.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.22.15.10, timeout is 2 seconds:
[Code].....
View 7 Replies
View Related
Jun 29, 2011
I have two ASA5510's set up in failover, and the secondary keeps crashing after doing the interface checks when bringing failover up. This only happens if I try to upgrade the image on the secondary to anything newer than 8.4.1 (I've tried with 8.4.1-11 and 8.4.2). The primary one run just fine with new images.
I don't have the exact error right now, as I need to do a screen capture from console. It's just a huge crash dump.Are there anything I might have missed during the upgrade? Should I cold-boot both the firewalls in the correct order?
View 7 Replies
View Related
May 8, 2013
We have a AP1252AG-A-K9. Everytime we load it up this is what we get (see below). I tried resetting the system ("mode" way) and it did not fix the issue. I tried to reinstall the IOS and it fixes everything up and the AP will work as normal but everytime I reset the modem I will get an error message below. [code]
View 5 Replies
View Related
Sep 10, 2012
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?
View 3 Replies
View Related
Jul 21, 2011
I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.
View 2 Replies
View Related
Feb 22, 2012
i have cisco ASA 5510 Firewall using in my network, i have planning to upgrade the Flash memory from 256 mb to 512 mb and the RAM from 256 mb to 1GB.
View 1 Replies
View Related
May 8, 2011
I have over 20 units doing the same thing and it seems to be a software isssue but i dont see any bugs or posts on it. This is only on 2960S switches and not 2960 or 2960G units.
If i use the password reset feature to break the units into rom and then type "boot" instead of power cycling the unit, they will fail MBIST post tests. If the unit is power cycled or left to boot normally on its own, there is no issues and all post tests pass. I know MBIST is Memory Built In Self Test and was thinking maybe breaking the unit into rom disrupts those memory tests for some reason. I tried the following software and got the same results with all of the images:
122-55.SE2
122-55.SE
122-53.SE2
122-53.SE1
Logs attached are from the same switch, one with password reset procedure used and while left to boot on its own.
View 11 Replies
View Related
May 4, 2012
I have a cisco asa 5510 with security plus license in Live enviroment . I need to add a secondary firewall . I was planning to do in active /standby mode for failover .But i have a doubt , when i do "show version " on live asa output says Active /active failover , does this means that i can only configure failover in active/active mode not in active/standby (which i want to do )?
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license...
View 4 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
View 12 Replies
View Related
Aug 8, 2012
A lightening strike hit us recently (last week) and fried electronics in the house. The next morning we didn't have internet on either our PC or Apple laptop. The modem wasn't doing its blinky green light dance. I used a multi-meter; the power supply was dead. I replaced it. It did its blinky dance. I turned everything on in order; turn everything off, turn the modem on and wait, turn the router on and wait, and turn on the PC and laptop. The good news was, the laptop got the internet, albeit much more slowly and intermittently than it used to. The PC got nothing. I've fumbled around with this for a week and can't fix it. I'm not sure if what's wrong is the router, modem, or something specific to the PC. Time Warner reported the internet is getting to my location (I called). They said the router was the problem and, consequently, not their problem. I tried connecting the laptop to the modem directly, leaving the router and PC unconnected. This works (I get the internet on the laptop, still). I tried connecting the PC to the modem and leaving the laptop and router unconnected. This *doesn't* work (I get no internet on the PC). Device manager shows that my ethernet card works. I tried sending a test packet to the modem. This also worked. Here's my ipconfig /all Microsoft Windows [Version 6.1.7600]
View 2 Replies
View Related
Mar 16, 2012
I work at a public library, and our wireless network is controlled with a captive portal. I am using the app Tasker on my Verizon Galaxy Nexus (Android 4.0.3) to do things like automatically silence the phone when it connects to the wireless network. What I'm hoping to do is get it to also automatically authenticate with the captive portal. I know this is possible on a PC, but I'm not sure how to implement it with my phone. Takser allows for using HTTP GET of HTTP POST. With GET I have fields for "Server:Port", "Path", "Attributes", "Timeout", "Mime Type", and "Output File". For POST I have "Server:Port", "Path", "Data", "Timeout", "Content Type", and "Output File". Here is documentation about these two methods:
Quote:HTTP Get Send an HTTP GET request to a webserver.The response code is stored in %HTTPR. A response code of -1 indicates a problem making the request. Any returned data is stored in the variable %HTTPD if the content type is text-based (max 4K).
Example: running a script
Server:Port: [URL] [no port specified, use port 80]
Path: cgi-bin/palpable.pl
Attributes: [must be separated by newlines, no spaces please]
colour=pink
scent=rosy
[code]....
View 17 Replies
View Related
Mar 8, 2012
I upgraded my computer with a new graphics card and power supply. When I turned it on everything ran fine except for the internet. I either get a connection with 1 bar, a connection but no internet acess, or no internet at all. Did I damage something on the motherboard that could cause this?
View 11 Replies
View Related
Apr 23, 2013
I have a C2960-24TT-L Switch with the following problem:When the Power Cord is plugged in the Switch, all switch indicator LEDs go on very briefly. Then SYST LED blinks very briefly, goes on steady and remains at this state without any indication at the console.Tried the reset by holding the MODE button while plugging in power but I still get no indication at the console. All is fine with console, meaning that if I take out the cable and plug it in another switch, then I see all that there is there to be seen.My question: Is the switch beyond repair or is there something that can be done to get the switch to run POST and boot at rommon so that I can reload SW and configs?
View 3 Replies
View Related
Feb 8, 2013
Lost my access points to controller. Not sure if it was related to upgrade from 7.1 to 7.2, or something else.
The console log on APs shows;
*Mar 1 00:01:09.394: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 1 10:24:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 142.100.64.8 peer_port: 5246
*Jan 1 10:24:23.424: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 142.100.64.8
*Jan 1 10:24:23.424: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Jan 1 10:24:23.424: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 142.100.64.8:5246
*Jan 1 10:24:23.424: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
All 3500/3600 APs, had been in production for months.
View 1 Replies
View Related
Jul 27, 2011
Using AnyConnect Secure Mobility Client, logging into ASA5540. After I put my credentials in, I get the banner message (from group policies). After I accept that, I get another pop message stating:It looks like a pre-set message. Where can I disable and/or edit this message?
View 4 Replies
View Related
Jun 5, 2012
I have a Cisco CBS3020-HPQ chassis switch running IOS 12.2.(25r)SEF3. One of the ports is in "disabled" state but when I try to unshut it, it doesn't work, the switch logs shows the following event:
%PLATFORM_ENV-3-LOOPBACK_PORT_POST_ERR: Gi0/1 can't be brought up because it failed POST in Loopback test
how do I resolve this, the port is unusable since I can not get it out "disabled" state.
View 6 Replies
View Related
May 14, 2013
I pulled a brand new Cisco 3850 Switch out of the box yesterday. Following the Quick Start Guide, I put in the power module, powered it on, and waited for it to complete POST. Then, I plugged in an Ethernet cable between a laptop and the switch on a port in the front, and went to the web interface at https://10.0.0.1. I got to the Express Setup, and attempted to change the IP address of the switch to an IP on my LAN, along with other options. When clicking submit, it didn't appear to take. Upon refreshing in the Express Setup, the IP config was blank, so I once again configured it. This time clicking submit brought up a message that it was changing the IP address. I waited for it to finish, and when it looked done, I powered the switch off and took it to a different room to hook it up to the LAN for further configuration.
When plugging in the power at that point, the switch starts through the normal light process (System LED blinks green slowly), and then eventually the System LED blinks green very fast and never stops. It doesn't get to the point of having the system loaded and ready to log into. There's no amber lights, just the System LED flashing green fast. On the back, the Power module and all bay lights are green, and the Console light is green, but the Management port light is off.
I've tried using the reset button on the back of the switch two different times to reset it to default configuration, thinking I hosed it somehow, but it never goes past the fast blinking System LED.
View 5 Replies
View Related
Mar 14, 2011
We have to use scp on all of our network devices. It worked quite well on our routers and switches but I can't seem to get it to work for the firewalls and IPS. I enabled scp on my ASA5510 using the command "ssh scopy enable". I also ensured that a rsa key was generated and that ssh ver 2 was enabled. But I can't seem to locate the commands to actually have my firewall either copy it's configuration to a server or reach out to a server to pull down a file. We are using IOS 8.2(1).
View 1 Replies
View Related
Mar 22, 2011
I have a customer who wants to prioritze rdp traffic throgh the firewall.I know that its port 3389, but outgoing traffic is a random port number.Any smart way to catch this traffic and get it in the LLQ ?
View 3 Replies
View Related
