I have created Different extended access-list which allow/block some specific services like IP,TCP,UDP ,ICMP etc for certain source and destination . But now I have to allow/Block all/any type of services to a certain host from a extended access-list . How can I do it ?
View 4 RepliesI have an access-list that was named "extended" (without quotation marks) and the ASA will not let me remove it.
I have tried everything I know to try and get it out, but I cannot remove a single line.
ASA(config)# no access-list extended line 1 extended permit ip host 10.1.1.1 host 192.168.1.1ERROR:<1> not a valid permission
ASA(config)# no access-list extended line 1 permit ip host 10.1.1.1 host 192.168.1.1ERROR:<1> not a valid permission
We have hosted spam filter service with 3rd party vendor. My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service. I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]
View 2 Replies View RelatedI have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
View 2 Replies View Relatedhow to allow few url and block other in cisco asa 5510
View 6 Replies View RelatedASA 5510, version 8.4.1 with ASDM 6.4.1
How can I prevent the user to share files with p2 programs (torrent, eMule, etc) and to chat via Instant Messaging, Facebook, Twitter, etc. ? I find a lot of suggestion, but allways related to 8.3 or older
I have 1 firewall module of ASA 5510. I am trying to block some URL's in it via ASDM but not working.
So far tried by following standard cisco doc which shows hwo to enable URL blocking via ASDM n via regex. Not working in my case.
block skype 5.1 in my network. This version of skype doesn't need Administrator rights to be installed. In my network there are 2 ways to Internet, one filtered by a PIX 525 ver 6.3(3) and the other by a ASA 5510 ver 8.3(2). No IPS system present on my network.
View 6 Replies View Relatedi want to Block torrents service in my Firewall , and give access to one of my pc , is it possible to do in the IOS 8.2
View 1 Replies View RelatedNow, i want to block some websites in cisco asa 5510 and in want to block key word like "sex", "game",..how can i config it?
View 3 Replies View RelatedI have a ASA 5510 device. I have been asked to block Ip range for India from accessing set of servers. Total Subnets: 34,675,968.I really don't want to create a two mile long access list with all these subnets.
View 2 Replies View RelatedI have cisco ASA 5510 with basic configuration (default policies). The problem is that windows XP users are unable to send emails form MS outlook and unable to log on to Hotmail , Gmail or any mailing site. While windows 7 and 8 users are not facing any problem.
View 2 Replies View Relatedhow to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem. I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits. So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?
View 2 Replies View RelatedI have purchased a Cisco ASA 5510 & want to block all social networking websites (https) either using CLI or ASDM.
View 1 Replies View Relatedi have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
[URL]
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its
i use ASA 5510 and i want to block some urls :
-192.168.2.70 to 79 allow every thing
-192.168.2.80 to 89 : block facebook , myspace, twiter,
-192.168.2.90 to 99 : block facebook , myspace, twiter, youtube , dailymotion
-192.168.2.100 to 199 deny everting
I'm trying to configure an extended access list on one AS5350XM but I get one way hearing on a voice calls and I can't determine why (please see the attached diagram). There is an OSPF running on both gigabit interfaces and the Loopback address is also advertised (it is actually the voip IP address). The access list is applied on both interfaces in the inbound direction. There is another gateway with IP:4.4.4.4 (no firewalls here) and the routing between gateways is working properly.
Here is part of the access list (applied on AS5350):
.
.
permit ip host 4.4.4.4 host 3.3.3.3
.
.
When I review the log of the AS5350xm I see many errors like this one:
%SEC-6-IPACCESSLOGP: list example denied udp 3.3.3.3(16638) -> 4.4.4.4(18094), 1 packet
So how it is possible to see this error since the access list is in inbound direction and the IP address (4.4.4.4) is open. I don't have problems when I do telnet or ssh from 3.3.3.3 to 4.4.4.4.
I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host. For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
This is how I normally add these rules (the ip addresses are fictive): access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
When I try to add this using the hostname on our asa I get an error: access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com ?ERROR: % Unrecognized command
I've tried it without the 'www', so hostname.com but same error.
I have some LSA type 5, I want to change it from type 5 to type 3 before send to another Area, How can i do it?
View 1 Replies View Relatedwhere is the best place to block unwanted traffic? By that I mean, should I block it at the router, firewall, IPS? As an example, I'm dealing with DNS flood attacks - probably DDoS and reflection. I have a pair of Cisco 2821 routers with two different ISPs doing BGP. Behind that I have an ASA 5510 with IPS module. Behind that I have 2 public DNS servers. Over the last few days I've seen an increase in bogus DNS queries - high volume, distributed. My question is where is the best place to put the ACL to block them? I've been putting them on the ASA, but when the attack is running, it jacks the CPU to 60%. If I don't put the ACL, the IPS seems to pick them up after a while and the CPU is almost as high as with the ACL. I haven't tried to put the ACL on the routers.
View 2 Replies View RelatedI have a Cisco ASA 5510 with a 5 block of IP addresses assigned from our ISP. I am having issues with connectivity and routing traffic from the outside interface to the outside interface. I have my outside interface set up with IP address of 24.182.x.146, it allows internet access and also hosts a web server. Any time I have a client using this device for internet access, I am unable to have traffic accepted for my web server. I.E 100.100.x.52 is using this device, it browses to https://24.182.x.146 and it gets an unable to connect. I am able to connect to the web server from any other ISP/Device. [code]
View 4 Replies View RelatedWe want to use ASA5520 but both Firewall have different CPU. One has CPU Pentium 4 2400 MHz and another has Pentium 4 Celeron 2000 MHz. Can it be configured for replica / failover?
View 5 Replies View RelatedI have ASA 5505 ver, 8.4(1) I have configured 2 WAN links to
1. Outside1 - distance metric 50
2. Outside2 - distance metric 20
Currentry all traffic is passing thru Outside2 and it's correct, also s2s and ra VPN is also running on Outside2 ?My current case is to use Outside1 for webvpn services only. I can't use Outside2 becouse on 443 port other services are running, also I cant change webvpn port to other.
How can I match packets incoming to interface Internet1 from Interner side nad route them back thru Internet1 interface.
IPSLA is not a good solution becouse I need to have both WAN links used Now in routing table I have only onre record
S* 0.0.0.0 0.0.0.0 [20/0] via x.x.x.x, INTERNET2
for link with lower metric, but after some problems with provider for link Internet2 routing has changed for Internet1 and didn't change it back after resolving problem? how to create it for all traffic incoming for Internet1 interface from outside?
I have 3 ASA5520, 2 of them running as remote access VPN, 1 of the ASA as site to site VPN. There are 2 different ISP's which are used between them. Can I consolidate all these services in 1 ASA5520, relating to configuration and whether the ASA could handle these services together without performance degradation. I forgot to mention even e-mail service and Internet browsing is also though one of the ASA. I was just wondering whether the configuration will get messy or is there a different approach to go about it. The OS on ASA's is 8.3.
View 1 Replies View RelatedHow to get DynDNS or some other public dynamic DNS services on the Internet working on ASA 5505?
View 2 Replies View RelatedI am trying to figure out if the new code for ASA SM 9.0(x) or 9.1 is compatible with CAT6500 but I could not find any document that explicity confirms the the INCOMPATIBILITY. This table from the Release notes is not quite clear.
[URL]
It says that code 8.5 is compatible with Cat6500 and version 9.X is compatible with R7600.So are the two different trains now, one for Cat6500 and one for R7600?
My real goal is to find the correct software versions (not interim) that provides compatilibity with Catalyst 6500 with Supervisor 2T and ASASM.
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
Do you know how to create a static nat from outside to inside and using services, this is a firewall 5545x
View 9 Replies View RelatedIt seemed that show vpn-sessiondb ra-ikev1-ipsec will not provide the client type of the remote vpn user as show vpn-sessiondb remote did before.
Is there a way to find it out on ASA running 8.3?
I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
object-group network inside_subnet_all network-object object inside_subnet_a network-object object inside_subnet_b network-object object inside_subnet_c network-object object inside_subnet_d network-object object inside_subnet_e network-object object inside_subnet_f network-object object inside_subnet_g network-object object inside_subnet_.access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object- group WWW-HTTPS access-list DMZ extended permit object SMTP object dmz_subnet any access-list INSIDE extended permit ip
I've configured an ASA 5510 FW with asa901-k8 ios. on it's "inside" port there is 10.90.0.0 network. there is another network (10.190.0.0) in my system that can be reached via another router which has 10.90.0.253 ip address. when a client in the 10.90 network wants to reach the 10.190 network the fw redirects the request to the router (10.90.0.253) because the fw is my gateway. there is no problem so far... but... while i can ping and traceroute a 10.190... user from 10.90... network, i can't use any non-icmp appliactions. for example i can't use rdp programs, http web interfaces of some devices on remote network (10.190.0.0). what can cause that? is there any rule in asa that blocks these protocols?
View 4 Replies View Relatedsome recommendations for product selection and overall infrastructure setup for our datacenter: We have an old, legacy setup, and are looking to replace equipment, improve performance, enhance security, and implement hardware redundancy (if cost effective).
1) We now have (2) IP blocks from our provider, and need to support both (because we have mailers on older IPs with a good reputation rating).
2) We have (2) aged Sonicwalls, one for each IP block, each connects to multiple internal subnets (some internal subnets need connectivity to eachother, some don't).
3) We have (mostly) public facing web servers (Linux/Apache), as well as database servers (with no external access).
Questions-
1) Should we implement a Cisco ASA 5520 w/ or w/o SSM modules for the new IP block (for webservers)?
1a) Should we implement a Cisco ASA 5510 or 5505 for the existing IP block (for mailers)?
1b) Or, can we have multiple public IP blocks connected to a single ASA 5520 (or 2 ASA's w/ failover)?
2) Can we connect both firewalls (5520 and 5510/5505) to a single Catalyst 3550 (or similar) using VLANs, and have 6 - 10 VLANs for webserver subnets, with ACLs controlling which subnets/servers can connect to eachother?
2a) Should we implement a second Catalyst 3550 (or similar) for redundancy (webservers have multiple network cards).
3) From our provider, we only have (1) dmark which both IP blocks connect through. Currently we have a switch connected to the dmark in order to 'splice' the connection, and have both existing firewalls connected. Is there a better approach to this?
4) We would like to implement SSL-VPN, and possibly site to site IPSec VPN, but only if there will not be significant performance degredation.
5) Other thoughts/recommendations for new features, enhanced security, or redundancy?
I like to set up a pix and router for this network for a small buss, but I need to know what type of cable do I need to set this connection to work straight through or a cross over cable? also I need a subgestion if a nat would work better on the pix or leave it on the router?
View 4 Replies View Related