Cisco Firewall :: ASA8.4 VPN - Hit Count Is Zero On Rules

Nov 7, 2012

I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5525 Can Work Under ASDM7.0 (1) If ASA8.6 (1)2 Installed?

Feb 17, 2013

If ASA5525 with ASA8.6(1)2 can be browsed using ASDM7.0(1), as currently i'm running ASDM6.6(1) if it will work, any document how to do the upgrade using GUI screen?

View 8 Replies View Related

Cisco Firewall :: ACL Hit Count Not Real In Asa 8.2

Mar 6, 2011

ASA v 8.2What does the ACL hit count count ? I always thought that the acl hitcount counted the numbers of packets hitting that line in the ACL, however that is not the case. if I setup a icmp permit rule then that will only increment 1 even if I send 4 packets that hits the line. udp and tcp seems to do the same. is there some way I can make the ACL actually count the packets that hits ? where can I learn more about this ?

View 4 Replies View Related

Cisco Firewall :: Active Session Count Of ASA 5540 In HA?

Apr 15, 2012

We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
 
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2

[code]....

View 3 Replies View Related

Cisco Firewall :: ASA5520 - Can't View ACL Count Details Using ASDM

Feb 9, 2012

We are running a ASA5520 with system image of "disk0:/asa843-k8.bin".  I'm also running ASDM ver: 6.4(7)So my question is while I'm in the ASDM on the configuration of the firewall, I'm looking at the Access Rules.  When I do a show log on any of the rules that have hit counts on them, it opens up a Real-Time Log Viewer but I don't see any information.  It's not showing anything, nothing appears, it just sit's there like it's waiting but no data is coming.  Even though if I go back out to all the rules, I can see the hit count incrementing.  The same thing happens no matter which rule I pick with hit counts on them.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 High Drop Count On Management Interface

Sep 4, 2012

I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Increase Inside Hosts License Count?

Feb 14, 2012

At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
 
Result of the command: "show activation-key"
  
Serial Number:  xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  
Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        
  
This platform has a Base license. 
 
The flash activation key is the SAME as the running key.

View 2 Replies View Related

Cisco :: 5500 - Count Bytes For Some Interesting Traffic Crossing Firewall In It?

Mar 20, 2013

I need to count the bytes for some interesting traffic crossing the firewall in ASA 5500. Packet Capture is so far as I need, cause I only need the number of bytes during a long time for about 3 months (source host - destination host)
 
capture capin type raw-data access-list cap buffer 33554432 interface inside circular-buffer [Capturing - 33553570 bytes]
 
I need to get only the exactly amount of "33553570 bytes" The pcap file is not needed

View 6 Replies View Related

Cisco Firewall :: 837 Hardening Access And Firewall Rules

Mar 21, 2012

i have a cisco 837.I need hardening the access and firewall rules. I dont understand ip inspect.

View 1 Replies View Related

Cisco Firewall :: 2921 Firewall Allow Rules Being Dropped

Jul 5, 2012

I am configuring a 2921 with enhanced security using the CCP.  I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting.  It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine.  I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
 
If I set the allow rule to log, I see the following line in the application security log:
 
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0
(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
 
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
 
Is this the expected behavior of "Allow" action?  Is there something I can do to make sure "allow" traffic actually gets through?

View 1 Replies View Related

Cisco Firewall :: VPNs And Firewall Rules With PIX 515

Mar 25, 2011

I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall.  However, when I test the VPN from outside the company, I find I can get to whatever server I want to.  There is no allow any/any.  I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
 
The only thing I could think of is that we are using the account management in the firewall to authenticate the users.  I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.

View 3 Replies View Related

Cisco Firewall :: One To Many NAT Rules To Same DMZ IP ASA 8.2

Dec 5, 2011

Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work.  I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
 
Outside --------> DMZ
200.1.1.1------> 10.1.1.1
200.1.1.2------> 10.1.1.1
200.1.1.3------> 10.1.1.1

View 16 Replies View Related

Cisco Firewall :: ASA 8.4.(1) NAT Rules Ignored

Jun 24, 2011

I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
 
this is the relevant config:
 
interface Port-channel2.4
description Public TESA ADSL internet connection
vlan 7

[Code].....

View 7 Replies View Related

Cisco :: Command To List Firewall Rules?

May 17, 2012

Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.

View 17 Replies View Related

Cisco Routers :: RV120W - Firewall Rules

Jul 5, 2012

I have a problem with firewall rules. If I set some rules for open communication and some for closed, so I cannot reorder from the end to begin.

Last rules are at the end of all. So I can only reorder in one pages.(I have about 33 rules = 3 pages of rules)

View 4 Replies View Related

Cisco Firewall :: Creating ACL And Nat Rules On ASA5505

Mar 23, 2012

Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
 
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
 
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
  
My ACL and nat rule is below.  I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
  
access-list outside-in extended permit object tcp51413 any object outside nat (inside,outside) source dynamic all-inside-nat interface

View 3 Replies View Related

Cisco Firewall :: Change Order Of Nat Rules (v8.4)?

Sep 26, 2011

I have a question about the new nat implementation in an ASA 8.4. when I perform a "show nat" I get the following result:
 
1 (outside) to (inside) source dynamic any NAT-SSL-VPN_172.30.100.250 destination static 00B_172.30.100.0_24 00B_172.30.100.0_24
    translate_hits = 26, untranslate_hits = 0

2 (inside) to (outside) source static LAN-HOST_172.30.100.11_LNX01 WAN-HOST_84.199.44.2_32_LNX01 service TCP-80-HTTP TCP-80-HTTP
    translate_hits = 0, untranslate_hits = 0
 
Is it possible to change the order of the nat rules without removing and reapplying the rule on position 1 ? (both rules have to stay in section 1)

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Possible To Add Rules To Users

Aug 2, 2011

How can I filter my local lan's URL requests?  Is it possible to have some sort of list like...
 
Default_User_Group
*.microsoft.com/*
*.mydomain.com
*.google.com
 
Then only allow certain ip's access to the entire internet like this...
 
Internet_User_Group

It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.

View 12 Replies View Related

Cisco Firewall :: Unused Rules Tracking In PIX 535?

Nov 14, 2011

I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?Also when a traffic is being allowed, I want to know through which rule number its being allowed?

View 2 Replies View Related

Cisco Firewall :: Invisible NAT Rules (twice) Added In 8.3 For VPN?

May 31, 2011

Note If  you configure VPN, the client dynamically adds invisible NAT rules to  the end of this section. Be sure that you do not configure a twice NAT  rule in this section that might match your VPN traffic, instead of  matching the invisible rule. If VPN does not work due to NAT failure,  consider adding twice NAT rules to section 3 instead.  

View 2 Replies View Related

Cisco Firewall :: 871 Configuration - Basic Rules

Jan 3, 2013

I have an 871 and all I need to do is some basic rules. Here is the config I am  having the issue with.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Access Rules

Aug 13, 2012

When i create a rule and enable icmp in ASA inside to outside direction to testing purpose, but I can't ping outside address ,  

access-list ICMP extended permit icmp any any 
access-group ICMP in interface inside
 
LOGG:::
ping 8.8.8.8
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
  
then I have permitted icmp for return path then it works, configs and logs are followed,
 
access-list ICMP extended permit icmp any any 
access-group ICMP in interface outside
 
LOGG:::
ping 8.8.8.8
 
%ASA-6-302020: Built inbound ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14
%ASA-6-302021: Teardown ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14

View 1 Replies View Related

Cisco Firewall :: Duplicate Rules On ASA5585

Oct 17, 2012

I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
 
-Model 5585
-ASA Version: 8.2(5)
-ASDM version: 6.4(5)

View 5 Replies View Related

Cisco Firewall :: Rules In 877 Firewall

Nov 3, 2011

I have a firewall enabled cisco 877 with these rules.
 
Interface Dialer0 IN    10 deny ip 0.0.0.0 0.255.255.255 any    20 deny ip 10.0.0.0 0.255.255.255 any    30 deny ip 127.0.0.0 0.255.255.255 any    40 deny ip 172.16.0.0 0.15.255.255 any    50 deny ip 192.168.0.0 0.0.255.255 any    60 deny ip 224.0.0.0 15.255.255.255 any    70 deny ip 240.0.0.0 15.255.255.255 any    80 permit tcp any any eq 22 (8810 matches)    90 permit tcp any any eq 242    100 permit udp any any eq snmp    110 permit icmp any any echo (6 matches)    120 permit udp any any eq non500-isakmp (3 matches)    130 permit udp any any eq isakmp (1 match)    140 permit tcp any any eq www (26 matches)    150 permit udp any eq domain any    160 permit tcp any any established (6 matches)    170 permit tcp any any eq smtp (2 matches)    180 permit tcp any any eq pop3 (3 matches)    190 permit tcp any any eq 443    200 permit esp any any    210 permit ahp any any
Interface Dialer Out     10 permit ip any any
 
This rule which is its function?"permit tcp any any established"

View 1 Replies View Related

Cisco Routers :: RV042G Which Rules Have Priority Firewall

Oct 14, 2012

I have made a firewall rule that accepts FTP from WAN2 outside to the inside private LAN with IP address specified.But this didn't work.When I added in the forward rules that FTP had to be forwarded to this IP address it worked.I have done some testing but it seems that the firewall rules do not have any priority on the forward rule.If I disable the forward rule i cannot connect with ftp even with a firewall rule made.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - No Internet Using Static NAT Rules?

Feb 5, 2012

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.
 
Here's my Cisco ASA configuration:
 
ASA Version 7.2(3)
!
hostname domain

[Code].....

View 16 Replies View Related

Cisco Firewall :: ASA 5505 - Rules And PAT Weird Behavior

Jun 21, 2012

In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Add Rules Through CMD Prompt As Against ASDM

May 28, 2013

We have a pair of ASA  running 8.0 (old) version.  The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.But practically , this doesnt work, since  the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?

View 3 Replies View Related

Cisco Firewall :: FWSM Acl Rules Rv042 Not Working At All

Sep 20, 2011

On my RV042 (I used it for a couple of years now without issues), the DIAG led light amber (steady). It's not documented in the user manual.User manual says only:,Diag  (Red)  The Diag LED lights up when the Router is not ready for use. It turns off when the Router is ready for use.",Router does not work anymore and I can't access its web page as I used to do before this problem.I did a reset to factory default (reset button hold for more than 30 sec.) but it didn't change anything.

View 1 Replies View Related

Cisco Routers :: RV180 Firewall Access Rules And 1:1 NAT

Nov 26, 2012

I have a static IP block and need to route to various servers.  I know I can use 1:1 NAT or Access Rules and have success with each.  The problem is my mail server.  When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups.  However, I cannot block any ports when I use 1:1 NAT.  I have tried it every way I can think of and even some suggestions in the forums that did not work.  No matter how I set access rules, all port stay open in 1:1 NAT.
 
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address.  The reverse DNS does not match and mail server will bounce the mail. 

View 11 Replies View Related

Cisco Firewall :: ASA 5520 Difference Between Access Rules And ACL / ACE?

Nov 2, 2011

We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s  Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
 
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
 
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
 
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?

View 1 Replies View Related

Cisco Routers :: RV180 Firewall Access Rules

Sep 3, 2012

I purchased a RV180 router, and would like set the Firewall Access Rules as below

- Action: Always Allow
- Service: HTTP
- Source IP: Any
- Send to Local Server (DNAT IP): private ip (192.168.1.xx)
- Use Other WAN IP Address: Enable
- WAN Destination IP: one of public ip (different of the router WAN ip address)
 - Action: Always Allow
- Service: FTP
- Source IP: Any
- Send to Local Server (DNAT IP): private ip (192.168.1.xx)
- Use Other WAN IP Address: Enable
- WAN Destination IP: one of public ip (different of the router WAN ip address)
 
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
 
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?

View 4 Replies View Related

Cisco Firewall :: 5540 ASDM Does Not Display All Rules

Jan 15, 2012

we replaced our PIX525 firewall with an ASA 5540 firewall, and now we see some strange behavior in ASDM.ASDM does not display all the rules, but i see all all the rules in cli.

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved