Cisco Firewall :: ASA5520 Intra-interface Communication And DNS Rewrite?
May 29, 2011
Recently, I deployed ASA 5520 as our company firewall, everything was working fine except two main problem I still can not resolve them after I did a lot of research.
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as [URL] will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255 dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.I added an static route and intra-interface permit route inside 10.1.15.16 255.255.255.240 192.168.1.223 1same-security-traffic permit intra-interface I also added access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outbound The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22. If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.
View 2 Replies
ADVERTISEMENT
Jun 30, 2011
If you have a headsite with multiple EZVPN clients (PIX 501 & 515) connected in a star configuration can you have one remote site connect to another remote site using the intra-interface command and modifying the encryption domain on the EZVPN Server?
View 3 Replies
View Related
Oct 16, 2011
i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?
View 1 Replies
View Related
Nov 5, 2012
So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on. I got everything setup and tried to connect. However, I couldn't connect to either. I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up. I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface. I can ping the outside interface and can ping the internet from the ASA. I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues. Part of me wonders if the ISP has something set up to block inbound traffic. This should be a business class connection.
View 5 Replies
View Related
Feb 3, 2013
I'm working with AnyConnect for the first time (my prior experience is with IPSec client) and I have multiple remote users who connect to a 5520 via AnyConnect client; they need to print to each others' shared printers but currently have no connectivity between each other.
Can I configure the 'intra-interface' command to enable connectivity between remote clients, or is there more that needs to be done to enable this, presuming that it can be done at all?
View 3 Replies
View Related
Aug 8, 2012
We have an ASA 5520, working fine.One of the interfaces is connected to users PCs and printers mainly. Last months the number of devices has grown rapidly, and we would like to make some changes in it in order for it to be able to host new devices.We thought on change subnet mask of actual subnet (10.0.2.0/24) to 10.0.2.0/23, so it can hold as many devices.I understand I have to make some changes in the ASA, but my question is:What will happend to the acces rules I have created?Will I need to create them again? There are some objects which carry information about subnet mask, so I suppose I will need to redefine them, but for those without any subnet mask information, will I have to redefine them?
View 2 Replies
View Related
Apr 17, 2012
We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?
View 11 Replies
View Related
Oct 27, 2011
Currently we have two inter-chassis FWSM redundancy. I would like to configure them for intra-chassis.
Both FWSM's are in slot 7 of 6509 switches and i want to take secondary out from one of the 6509 switch and insert in the slot 3 of primary switch.
I addedd the following commands in my primary switch.
There were commands already present for FWSM in primary switch
firewall multiple-vlan-interfaces
firewall module 7 vlan-group 1
firewall vlan-group 1 2,3,777
to create intra-chassis redundancy i addedd the following command also there.
firewall module 3 vlan-group 1
after adding that, my firewalls worked fine but there was a issue with site loading. People from outside were able to access inside but from inside, we were not able to go outside.
do we need to clear arp from both FWSM's ? is there any other precautionary step, which we need to follow while working on it.
View 1 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Aug 29, 2012
I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
I work for a state agency and our network connectivity is provided to us by another agency/department. The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network. I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication. My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.
Putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.
View 1 Replies
View Related
Jan 1, 2012
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
View 1 Replies
View Related
Feb 15, 2012
configuration of NAT on an ASA 5520. On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0). I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?
I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?
View 9 Replies
View Related
Nov 11, 2012
How can I allow passive ftp communication in PIX 6.3(5)106.
View 5 Replies
View Related
Mar 12, 2011
I configured ASA 5510 ...
Totally it had 5 ports..
How to provide communication between two different interfaces which had configured as same security level?
How many trunks will support ASA 5510 with base-license?
How to configure trunk to an interface with different VLNs( Router on a stick).
View 6 Replies
View Related
Aug 10, 2012
I have a working environment but wondering if there is just a better way to accomplish what I am trying to do (without a layer 3 or 4 switch). Basically I have a few sub interfaces on my Cisco ASA5510.
Now what I do need is some of the VLANs to communicate with specific devices on the different VLANs. So for example I need computer 1 from VLAN 5 to communicate with 192.168.10.5 from VLAN 10 on ports 80 and 443.
What I am currently doing is settings the security level to 100 on each interface (including the DMZ).
Here is what I have:
interface Ethernet0/1.5
vlan 5
nameif Sub5
[Code].....
View 5 Replies
View Related
Mar 5, 2011
configure ASA 5510 as below
inside users should communicate with Hosts on the DMZ Zone and at the same time they should go for internet towards outside interface
ASA with 8.3(1)
default security levels
attached is the digram for your reference need communicate form inside to DMZ
View 1 Replies
View Related
Aug 26, 2012
I have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
View 1 Replies
View Related
Jun 11, 2013
I've been following most of the comments in regarding how to allow communication between two internal networks on a ASA5510 8.2.5 But I am still a little confused about to how to set my firewall. I made chages to it and still do not have the desired results.
I need to allow comunication between Interface 0/1 and Interface 0/2. See configuration file with fake or dummy ip address below.
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name lxx.com
[Code].....
View 1 Replies
View Related
Mar 12, 2011
Is it possible to provide communication between two different interfaces which had configured as different security level in ASA 5510?
View 3 Replies
View Related
Oct 23, 2011
I have a Cisco ASA 5510 configured to access the internet, with an:
inside interface (ethernet 0/1) 130.130.0.254 and outside interface (ethernet 0/0) x.x.x.x
I have now configured another inside interface (ethernet0/2) on ASA with the IP 172.16.0.254 and I have connected it directly to another switch with a management IP 172.16.0.5.
The problem is that the two inside interfaces (130.130.0.254 &172.16.0.254) cannot communicate with each other thus the e0/2 172.16.0.254 interface cannot access the internet.
View 5 Replies
View Related
Aug 17, 2011
As this is an ASA 5505, unlimited users, I must use arp alias to allow a secondary network.
Inside network: 10.200.31.0/24.Additional inside network: 10.200.12.0/24
Clients in both networks can reach internet, but they can't communicate with eachother. Hosts on the additional network can ping the ASA inside network IP, but nothing else. I get incomming hitcount for inside interface when 10.200.12.x tries to ping 10.200.31.x. In the error log, I see: [code]
View 7 Replies
View Related
Nov 30, 2011
ASA 5505 and DMZ, I have a Base License.
What do I need to do for access inside network to DMZ?
I successfully configure, internet Access for DZM and inside network, web server can be accessed from internet, but I have problem to configure communication from inside network to DMZ.
View 14 Replies
View Related
Jan 31, 2011
I am configuring a WAE-7341 for standalone content engine ACNS used for webcaching only.When I enable the l2-redirect and l2-return on the WAE I get high CPU on my Cisco 6504-E with WS-SUP32-GE-3B - WS-F6K-PFC3B. The 6500 shows the wccp status as L2 for redirection and return and webcache works but this CPU spikes to 70%. [code] I don't see which process is causing this but if I remove WCCP from the interface, it drops to 1% so I know for a fact that WCCP is causing this.
If I remove the l2-redirect and l2-return on the WAE, WCCP on the 6500 registers GRE for redirection and return on the 6500 and CPU drops to 5%.If I enable the "wccp webcache accelerated" option on the 6500, I cannot get WCCP up with or without the l2-return and l2-redirect options on the WAE, it displays: [code] does this 6500 not have the hardware redirect/rewrite capability? My WAE is directly connected to the 6500 WS-X6548-GE-TX blade on the same vlan that I am doing a wccp redirect on.
View 7 Replies
View Related
Aug 23, 2011
I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0). On the inside the router has 192.168.0.253/24 as IP address, the outside is negotiated with the ISP
My mailserver has the ip address of 192.168.0.1 but with default gateway of 192.168.0.254 (primary internet connection). If I use plain NAT (ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 80) the packets arriving on the mailserver do have a public IP address as source address.
Would it be possible to rewrite those packets (source address) so they have 192.168.0.253 as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router.
View 8 Replies
View Related
Jun 20, 2012
I am setting up a network that will use the 1941 router with a cellular card (HWIC) to connect to the Internet for communication with remote stations in the field. The 1941 has a static IP address (166.142.xxx.yyy) on the Internet provided by the ISP (Verizon). The 1941 is connected via ethernet to the ASA5510. The end goal is to have the field cell routers (Digi Transport WR-44-R, also static IP) connect to the ASA5510 via VPN tunnels for communication back to the servers behind the firewall. I'm not sure exactly how to configure the 1941 so that the remote router can connect to the ASA using the public IP of the 1941 router. I have the 1941 working stand alone and can connect to the Internet and pass traffic, but I tried a static NAT to translate the public IP to the private IP of the ASA and cannot pass traffic. below is part of the 1941 configuration: [code]
Do I need to use VLAN bridging to accomplish the task or am I missing something with the NAT?
View 3 Replies
View Related
Jan 22, 2013
I am planning on upgrading my 6509s to use VSS within the next few weeks. I have checked all of the hardware and software prerequisites, and we are good to go from that perspective.I do have more of a procedural question- my switches are already configured and in production, VLANs, HSRP (3 IP addresses per VLAN- 1 per switch plus virtual IP), etc. Does the VSS upgrade take all of this into account and rewrite the configuration correctly, or should I plan on redoing the entire config for the switches after the upgrade?
View 6 Replies
View Related
Dec 22, 2011
With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies
View Related
Feb 10, 2013
Under the section intra controller roaming, WLC 7.0 config guide states that " When the wireless client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point. If necessary, new security context and associations are established as well" URL.Within the phrase "If necessary, new security context and associations are established as well" . What is meant by the new security context ? My understanding is that only an update to the MSCB (with the AP info) is the only requirement as the client is within the same controller and subnet.I just can't think why would the security info needs to be updated.
View 3 Replies
View Related
Dec 11, 2011
Core: DC : 2- 6500 (PO Trunked) Configured L3 vlan interfaces with HSRP.
Vlans:
Servers - 192.168.5.0/24
PCs: 192.168.10.0/24
Phones : 192.168.20.0/24
Replica-exchange: 192.168.30.0/24
DR- One Core SW:
Vlans:
Servers vlan - 10.10.5.0/24
PCs: 10.10.10.0/24
Phones : 10.10.20.0/24
Replica-exchange: 10.10.30.0/24
OSPF is the routing protocol. Everything works fine.New requirement (exchange 2010 MAPI & DAG subnets)
192.168.5.0 <--> 192.168.30.0 & 10.10.30.0 : Communication should fail
10.10.5.0/24<--> 192.168.30.0 & 10.10.30.0 : Fail
Replica@DC <--> Replica@DC: work
Replicas --> Rest of the nw- not that of an issue.
Iam thinking of adding a Extended ACLs on Replica-Exchange (DC & DR) and servers Vlan interfaces to block bidirectional communication.
CORE1 &2:
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 deny ip 10.10.5.0 0.0.0.255 192.168.30.0 0.0.0.255access-list 101 permit ip any any
!access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.5.0 0.0.0.255
[code]....
Similar to the same on DR as well. I wanted to see if ACL is the way to go or any other suggested methods with OSPF being the routing protocol.
View 2 Replies
View Related
Sep 18, 2011
We want to mask part of the path prefix to hide development content: For example: the site(s) are: [URL]However we don't want anything with acme showing...so we would want the loadbalanced url to be: [URL] ...for requests and responses. I think this would be an http re-write request/response scenario?Is this possible to configure this on the ACE Device? We've got the load balance configuration down...not sure how to do this re-write type scenario?
View 2 Replies
View Related
Aug 22, 2011
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies
View Related
Feb 21, 2013
I have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
View 1 Replies
View Related
Mar 28, 2013
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender
HostB - VLAN200 - connected to 5k extender
HostC - VLAN100 - connected to 2960 off our core
HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
View 16 Replies
View Related
