Cisco Firewall :: ASA5520 Routing Packets To Wrong Interface?

Apr 17, 2012

We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
 
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?

View 11 Replies


ADVERTISEMENT

Cisco VPN :: PIX 525 Routing To Wrong Interface?

May 2, 2011

PIX 525 6.3(4)120
 
I am trying to allow clients coming in from my "DMZ6"  interface with source IPs from the subnet 192.168.2.0 /24 to ping and  access hosts on my "DMZ1" interface with destination IPs in the subnet  10.5.11.0 /24. I think I have the associated static NATs and the ACLs  set up to allow this to happen. What I have noticed from syslog messages  is that the PIX is trying to build the TCP connection to the "Inside"  interface, rather than to DMZ1. Even though the destination host  (10.5.11.12) is directly connected on DMZ1, the PIX is still trying to  send the traffic to the "Inside" instead. I tried adding a host route to  force 10.5.11.12 /32 pointing to DMZ1 and the PIX still tries to send  the packets Inside. This only seems to happen when I try to go from DMZ6  to DMZ1. If I try to access hosts located in DMZ3 for example, which is  also a directly connected interface on the PIX, it appropriately builds  the connection to DMZ3. Here are the pertinent rules. Why would the PIX want to build the connection to the Inside,  even though it knows that the destination host IP is directly connected  to DMZ1?
 
ip address DMZ1 10.5.11.1 255.255.255.0
ip address DMZ6 10.5.16.1 255.255.255.0
ip address inside 10.5.18.17 255.255.255.240

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA5520 Use Management Interface As Regular

Oct 16, 2011

i have a Cisco ASA 5520 8.4(1) with a ASA 5520 VPN Plus license
 
i want to use the management interface as a regular interface (using the no management-only command)is this interface a Gig interface as well ?

View 1 Replies View Related

Cisco Firewall :: Can Ping ASA5520 Outside Interface But Cannot Connect To Other

Nov 5, 2012

So I have a client with an ASA 5520 running version 9.0 (was on 8.4) that I am trying to get either IPSec or SSL VPN configured on.  I got everything setup and tried to connect.  However, I couldn't connect to either.  I fired up the real time monitoring and didn't see any syslog messages referring to a VPN build up.  I also enabled SSH/Telnet on the outside interface and cannot connect to the ASA outside interface.  I can ping the outside interface and can ping the internet from the ASA.  I did set up a test ACL on the ASA and ran packet tracer on it and the results came back fine.
 
There is an IPS in the ASA as well, but I disabled the ACL for that and still am having these issues.  Part of me wonders if the ISP has something set up to block inbound traffic.  This should be a business class connection.

View 5 Replies View Related

Cisco Firewall :: Reset TTL To 64 On All Packets Leaving 5505 Outside Interface

Jan 3, 2012

I would like to know if I can reset the TTL value for all IP packets to 64 as they exit my network through an ASA5505 to the outside network. Can this be done on a 5505?

View 1 Replies View Related

Cisco Firewall :: Changing Subnet Mask In An ASA5520 Interface

Aug 8, 2012

We have an ASA 5520, working fine.One of the interfaces is connected to users PCs and printers mainly. Last months the number of devices has grown rapidly, and we would like to make some changes in it in order for it to be able to host new devices.We thought on change subnet mask of actual subnet (10.0.2.0/24) to 10.0.2.0/23, so it can hold as many devices.I understand I have to make some changes in the ASA, but my question is:What will happend to the acces rules I have created?Will I need to create them again? There are some objects which carry information about subnet mask, so I suppose I will need to redefine them, but for those without any subnet mask information, will I have to redefine them?

View 2 Replies View Related

Cisco Firewall :: ASA5520 Intra-interface Communication And DNS Rewrite?

May 29, 2011

Recently, I deployed ASA 5520 as our company firewall, everything was working fine except two main problem I still can not resolve them after I did a lot of research.
 
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as [URL] will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255  dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
  
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.I added an static route and intra-interface permit route inside 10.1.15.16 255.255.255.240 192.168.1.223 1same-security-traffic permit intra-interface I also added access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outbound The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22. If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.

View 2 Replies View Related

Cisco Switching/Routing :: ASA5520 - Commands To Apply NAT On Interface?

Feb 15, 2012

configuration of NAT on an ASA 5520. On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0). I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?
 
I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?

View 9 Replies View Related

Cisco Switching/Routing :: 3750X Switches Dropping Packets On Uplink Interface?

May 9, 2013

We have a remote site that is using 3750X switches as layer 2 switches back to our home site.  The uplink port is showing dropped packets but the utilization on the link is never about 10%.  We have a 100Mb circuit to this site.  Our speed tests and iperf tests are not showing any issues that we can see.  However the port is still droping packets.  It is not dropping at a high rate but they are dropping.          
  
switch#sh platform port-asic stats drop gi1/1/4
  Interface Gi1/1/4 TxQueue Drop Statistics    Queue 0      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 1      Weight 0 Frames 52876      Weight 1 Frames 2      Weight 2 Frames 0    Queue 2      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 3      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 1330874    Queue 4      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 5      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 6      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0    Queue 7      Weight 0 Frames 0      Weight 1 Frames 0      Weight 2 Frames 0switch#
         
Is there a way to capture these dropped packets to see what they are?  We do have VOIP phones at the site and are using Qos.

View 5 Replies View Related

Cisco Firewall :: ASA5520 To ASA5520 Via L2L Tunnel

May 31, 2011

Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
 
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
 
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
 
My 2nd is that I have debug enabled on my rules but am not logging anything.

View 1 Replies View Related

Cisco WAN :: 1841 / Effect Of Assigning Wrong IP To Router Interface?

Dec 21, 2010

What are the possible effects of assigning an invalid address like 172.22.0.0 255.255.255.252 to a router interface. The 1841 router accepted the address?

View 12 Replies View Related

Cisco WAN :: C1921 One Way Multicast And Wrong Interface Info In Show Ip

Nov 5, 2012

C1921, running version 15.1(4)M2, with licence for "IP base" feature set only.Trying to pass multicast via a PPTP VPN from a Windows XP machine to work around a non multicast-aware WAN link

1. With the IP Base feature set I am able to create a plain PPTP VPN without any encryption; the Windows XP machine can bring it up and unicast data passes through it OK in both directions.
 
2. But when trying to send multicast, only one-way traffic is observed:i. Windows XP host on far end of PPTP VPN and a local PC both running old Microsoft tool "MPING.EXE", sending and listening for traffic on the groiup 225.100.101.102i. The distant host receives and echoes back the packets received from the local machine + sending its own (confirmed with Wireshark running at the far end)ii. But the local machine directly connected to the C1921 router does not hear any packets from the far end; Wireshark shows only the ones it is sending.
 
3. Group status ("show ip igmp membership") as far as the C1921 is concerned shows both ends (192.168.50.10 (local end) and 192.168.50.201 (distant end via the PPTP VPN)) joined to the group [code]

4. But "show ip mroute" for that group shows an error; for the source on the far end of the PPTP VPN (having the IP address 192.168.50.201), the source interface is incorrectly shown as GigabitEthernet0/0 (should be Virtual-Access2.1 for that PPTP VPN) and the outgoing interface is shown as Virtual-Access2.1 [code]

5. I have tried adding static mroutes and messing about with parameters for the virtual-template interface for the PPTP VPN, but the problem remains. And if I put another local PC onto a different Ethernet port of the router, the multicast traffic does flow both ways - so the issue is solely with the PPTP VPN.After a week of head-scratching I am getting more and more convinced that it's a bug... but wonder if it is already-known, has a workaround, or a fix in newer firmware?

View 1 Replies View Related

Cisco Firewall :: ASA5520 - Stub Multicast Routing And Forwarding?

Jun 26, 2011

I can't seem to find where in ASDM (6.4.1), can we configure IGMP forwarding? ASA5520(config-if)# igmp forward interface outside The ASDM doc reference does not seem to be correct pointing to:configuring Stub Multicast Routing  

Step 1 In the main ASDM window, choose Configuration > Device Setup > Routing > Multicast > IGMP.
#Step 2 In the Multicast pane, check the Enable Multicast routing check box.
#Step 3 Choose MForwarding.
 
which generates:
 
ASA5520(config-if)# mfib forwarding

View 4 Replies View Related

Cisco Firewall :: ASA5520 8.21 - Setup Routing For Non-contiguous Address Range?

Apr 13, 2011

ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the ASA.xxx.yyy.zzz.64/26 as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.xxx.yyy.zzz is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.

[ie. Route outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.33] 
 
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
 
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
 
How do I setup routing for this non contiguous address range?

View 4 Replies View Related

Cisco WAN :: 2801 - QoS - Packets Arriving On Interface

Feb 2, 2012

In have a cisco 2801 router, fast 0/0 - internal network and fast 0/1 - internet
 
I have packets coming into fast 0/0 with dscp values ef, cs3, cs5, etc ... going the the internet thru fast 0/1. I only have basic configuration on fast 0/1 - no service-policy, no class-map, configured
 
Scenario: packets with dscp values arriving in fast 0/0 will exit fast 0/1 to the internet.

Question: Will these packets will be tagged the same dscp values when they exit to the internet?

Is this true or do I have make some configuration changes at my end to have this scenario configured.
 
class-map match-any VoIP-Signalling
match ip dscp af31
match ip dscp cs3
match ip dscp cs5
class-map match-any VoIP
match ip dscp ef

View 1 Replies View Related

Cisco VPN :: ASA5520 Outside Interface Non Route-able Address

Aug 29, 2012

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.
 
I work for a state agency and our network connectivity is provided to us by another agency/department.  The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network.  I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication.  My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.
 
Putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.

View 1 Replies View Related

Cisco Firewall :: Log Shows Wrong Source / Destination ASA 8.3

May 25, 2011

The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
 
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
 
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
 
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!

View 3 Replies View Related

Cisco Firewall :: 5510 - Verify Wrong Password For VPN Users?

Apr 8, 2011

when u use the debug cryoto isakmp 127 on the asa 5510, in order to troubleshhot remote access vpn users,to which entry r u looking in the debug to see if the user enter wrong password?

View 1 Replies View Related

Cisco Firewall :: Wrong Default Gateway VPN IPSEC ASA5510

Nov 24, 2011

I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).

View 7 Replies View Related

Cisco Firewall :: ASA5520 Bypass All Network Through Firewall

Dec 22, 2011

With regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Routing Between Interface

Mar 26, 2013

I attached the complete config. The earlier discussion, I cannot select reply. Looks like ACL is denying it. But I am not sure which one or how to permit it.
 
sh run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA 5510 - Routing Between Interface

Mar 26, 2013

I have a WAN interface and 2 LAN interface. I need both the LAN be able to access a server outside the network via the WAN (outside) interface. I am using a ASA 5510 firewall instead of a router, because I don't have a router. It looks simple enough but it does not work. I ping from the a PC (172.16.22.8) connected to LAN (inside) Network to 10.10.10.1 which is the WAN local interface also did not work. But from the ASA Firewall, I could ping my LAN (inside) PC. I followed a config i get from this forum. However, it did not work. Below my config.

interface Ethernet0/0
nameif outside
security-level 0

[Code]....

View 5 Replies View Related

Cisco Firewall :: Keep ASA5520 Firewall In Sync

Aug 22, 2011

I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Routing Traffic From VPN Clients To Interface?

Sep 17, 2011

I have two attachments that show my basic network layout.  I can get from the VPN Cisco Client to Workstation 2 just fine with my current NAT rules in place.  I can also get from Workstation 2 to Workstation 3 just fine.  But I'm having issues when I try to get from the VPN client to Workstation 3...  What would I need to do enable to get to Workstation 3 from the VPN client?  IT seems very simple to me (just PAT that traffic as I do the traffic from Workstation 2 to Workstation 3) but that does not work.

View 10 Replies View Related

Cisco Switching/Routing :: WRT110 - Two Router LAN - Wrong IP?

Feb 27, 2012

I currently have a wired router (Cisco RV042), a wireless router (Cisco WRT110), and a switch for my network.  I have the RV042 on a 192.168.5.1 subnet, and that is where my server and other local resources are.  I wanted to add wireless for guests, but do not want the guests to have access to local resources, so I plugged the wireless router into RV042 and configured it for a 192.168.1.1 subnet.  I can get internet access, but when I connect with a laptop to the wireless router, I end up being assigned an IP in the 5.1 subnet.  I set up the VLAN setting in the RV042 for the correct port, but for some reason I am still being assigned the wrong IP, and I can hit local resources on the wireless. 

View 1 Replies View Related

Cisco Firewall :: Policy Based Routing To ASA5550 Inside Interface?

Mar 4, 2011

Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
 
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc. 

Here's what we are adding:
 
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution 

Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535 

Question: how to best use PBR to selectively direct traffic to the ASA inside interface?

View 4 Replies View Related

Cisco Firewall :: ASA5510 - Routing / NATing From Internal Network To Outside Interface IP

Jun 3, 2012

I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing

View 1 Replies View Related

Protocols / Routing :: Everything Go Wrong After Firmware Upgrade

Feb 15, 2011

I tried to find a suitable firmware for it & found this, Wireless Router, but when I upgrade the device with this firmware , every thing go wrong .. no english language cant upgrade anymore I tried to reset the device to its factory defaults by pressing the reset botumn but the nothing changes

View 8 Replies View Related

Cisco Switching/Routing :: 35609-X - Wrong Image On Switch

Mar 17, 2011

I inadvertantly copy the wrong image on to a 35609-X switch and now it gets stuck in a particular mode.
 
The original image was:  c3560e-universalk9-mz.122-53.SE2/c3560e-universalk9-mz.122-53.SE2.bin and I replaced it with: c3560e-universalk9npe-mz.122-55.SE1.bin ( this is what the download site identifies as the image for 3560X-24P-S)
 
It now sticks at:  Front-end Microcode IMG MGR: Programming device 0...rrrrrrwssssssssssssssssssspssssssssssssssss
 
How can I get back on to delete this image?  It ignores the break key.

View 5 Replies View Related

Cisco Firewall :: 5540 ASA Interface Input Error On Outside Interface

May 28, 2013

We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.

View 2 Replies View Related

Cisco Firewall :: Only One Internet IP Can Be Used In Asa5520?

Sep 25, 2011

I have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
 
!
interface GigabitEthernet0/0
nameif internet
security-level 0

[Code]....

I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).

View 2 Replies View Related

Cisco Firewall :: Upgrade 8.2.2 On ASA5520?

Oct 3, 2011

We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out.  If we are having no issues, is it best just to leave it as it is?  I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.

View 1 Replies View Related

Cisco :: Firewall ASA5520 Is Very Slow

May 8, 2011

I have one firewall ASA5520, are very slow

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved