Cisco Firewall :: Allow Inbound Access From Any Host Outside To LAN Server On Port 995
Nov 5, 2012Trying to allow inbound access from any host outside to my LAN server on port 995. [code]
View 1 Replies
ADVERTISEMENT
Firewall Rules To Block All Inbound Internet Access To Web Server Except Port 443
Dec 1, 2012Setup firewall rules that will block all inbound Internet access to the web server except port 443, Setup firewall rules that will block all communication between the two internal networks, except ports 7000 and 1702
View 1 Replies View RelatedCisco Firewall :: NAT ASA 9.0(2) / Cannot Access Original IP Using Another Port Or Ping From Host
Apr 10, 2013Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.Example:SA 8.4: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).
ASA 9.0: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I cannot access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.
Cisco Firewall :: ASA 5505 Set Up Port Forwarding For Inbound SSH?
May 12, 2011how to set up port forwarding for inbound SSH?
The outside interface on the ASA is on DHCP. I have a single dynamic public IP from my ISP. The inside interface provides Internet access for the network using NAT.
I have a server on the internal network with an IP of 192.168.0.6 and I would like to access this via SSH (TCP port 22) from outside.
I've been able to do this in the past on a PIX with a static public IP block, but I'm new to ASA and I don't know how to do it with PAT.
Current running config attached for what it's worth, but it's pretty basic at the moment.
Cisco Firewall :: UDP Port 9500 Open Inbound / Outbound To Specified IP Addresses
Feb 28, 2012I have a weather station at our high school that needs UDP port 9500 open inbound/outbound to specified IP addresses.
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)57
Ping Could Not Find Host / DNS And Key-port / Server Not Found
Apr 30, 2011recently I had some malware on my Windows XP Professional (version 2002), so I followed a guide at Bleeping Computer [URL] to get rid of it. Problem is, for some reason, after I finished, I could no longer access the internet!When I try, FIrefox gives me their "could not connect" message: "Server not found. Firefox can't find the server at [site]." Check the address for typing errors such as ww.example.com instead of [URL]"When I try to log into MSN, the troubleshoot says I have a problem with my DNS and Key Ports.I'm not good with computers so I Google'd and found some ping-ing instructions. When I tried to ping [site], I get: "Ping request could not find host [site]. check the name and try again." This happens regardless of the site I use.Lastly, I tried "ping 127.0.0.1" from a troubleshooting site. It gives me: "Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
[code]..
Cisco Firewall :: Configuring Inbound Access On ASA 5520
Dec 18, 2011I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies View RelatedCisco Firewall :: ASA 5510 7.2(3) - Inbound And Outbound TCP And UDP Access
Nov 20, 2011 I'm running a Cisco ASA 5510 with version 7.2(3) and I've been tasked with permitting some inbound & outbound TCP & UDP ports to/from a specified address space on the internet.
In looking at my current ASA config I see other access lists already configured so I'm assuming I can just set up a new access list in similar fashion, but I wanted to verify here first.
Cisco :: Allow One Host To Access One Public IP With Port 500
Mar 4, 2012I got one request from one of the user to allow his ip to access one public using port www, this needs to be allowed in Cisco PIX, if the below command is correct for this.
Source host : 10.84.11.1
Destination IP : 203.126.112.131
Port : www
access-list acl_outbound permit tcp host 10.84.11.1 host 203.126.112.131 eq www
Cisco Firewall :: ASA 5505 / How To Use A Host Instead Of IP Address For A NTP Server
Jul 8, 2012Instead of using a IP address I would like to use a host address that points to a NTP pool.An example would be:ntp server 0.north-america.pool.ntp.org Can this be done on the ASA series?
View 1 Replies View RelatedCisco Firewall :: 5505 Block Port 80 On A Specific Host In LAN
Apr 22, 2012I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80
-access-list block_port extended permit ip any any
-access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
Cisco Firewall :: ASA 8.4 - Connection Fails When Host On Inside Tries To Connect To Server On Outside
Mar 9, 2011We are using an ASA with 8.4 in transparent mode. Connection fails when a host on inside tries to connect to a server on outside. This server uses mac-address 0100.5E00.0000 to load balance but replies with real mac-address.Firewall logs "Deny TCP".ARP inspection is disabled.
View 2 Replies View RelatedCisco Firewall :: 5520 - Inside Server To See Actual Outside Host Source IP In Udp Packet
Mar 3, 2013I have a 5520 in production at a customer's site between an outside 802.11 network and an inside server. The server can get to outside hosts OK, and the traffic is being NATed properly, and sockets initiated by the server on the inside can pass data both ways, but I need to allow outside hosts the ability to send 'announcement' UDP packets to the inside server. I thought this might be an outside-NAT-required issue to get the traffic routed, but I need the inside server to see the actual outside host source IP in the UDP packet, so I basically set the outside host up similar to the inside host, just without the NAT table on the firewall -- it's subnet is outside the destination (inside server) subnet, and its gateway is the outside interface of the ASA, the same way the inside server is able to get to hosts outside. The firewall should just route the packet with a destination of the inside subnet once it sees that it hits a 'permit' ACL.
I have the appropriate ACL's set up, and when I do 'show access-list' I see policy hits for the 'permit' statements where the outside host is generating the announcement and it's hitting the ACL. I even duplicated the ACL into list 101 and 102, and applied 101 for inbound traffic on the outside int, and applied 102 for outbound traffic on the inside int, and I'm seeing policy hits on both permit statements outside and inside, so it looks like the traffic is being passed on to the inside interface and permitted, but the server isn't seeing the packets.
I can ping the outside interface from the outside, but cannot ping the inside interface or any inside hosts from the outside, even though I have 'permit icmp any any' enabled on the ACL on both ints. When I remove the firewall and put the outside clients on the same subnet, the server sees the packets just fine.
I set up the same scenario in my lab with an ASA 5505, with the same results. Below is the running config from the 5505 in the lab. The production firewall is running a slightly older version of ASA, so I made the configuration as basic as possible on the 5505 to match the config in the field:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password Guh9Xxhb9mcC8lV1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description Outside WAN Interface
nameif outside
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Vlan3
description Inside LAN Interface
nameif inside(code)
Cisco Firewall :: ASA 5505 - Local Host Names To DNS Server At Main Site
Mar 3, 2013 I ran into a very interesting problem that occurred today and I'm trying to figure out why it happened. If it was one ASA 5505 that just required the reboot, then I'd have just chalked it up to a glitch, but when we built a new AD/ DNS server on the main network at the main site and changed the 3 Remote site ASAs to point to the new DNS server in the DHCPD options, none of them could ping any local host names to the DNS server at the main site they were now pointing too, but external host names { URL} all translated and pinged fine.
From a laptop on one of the remote sites, we could ping the new AD/DNS server(192.168.0.3) and the old AD/DNS server(192.168.0.2) and everything else at the main site, and telnet to port 53 showed successful across the Easy VPN from the Remote site to the new server at the main site. When wire shark was added to the new DNS server at the main site, the DNS request and replies for {URL}, for example, came and worked fine, but any requests for local resources never made it to the server from the remote sites.
A reboot of one of the Remote Site ASA's corrected the issue. Then I rebooted the other two remote site ASAs, and now DNS was working fine for everybody. I had also tried clearing the ARP cache on the ASAs before resorting to rebooting them. I also tried rebooting the laptop thinking the local DNS cache needed cleared before resorting to rebooting the ASAs. I'm struggling to understand why external, public host names made it through and resolved from the remote sites to the new server at the main site, but anything local failed before even reaching the new server(The new DNS server could resolve requests made by computers at the main site, but the remote sites that traverse the Easy VPN from the ASAs failed). The new AD/DNS server is the only server configured for DNS for all remote site computers.
Is any of this making sense? I'm wondering if clearing the x late or local host tables would have corrected it without having to reboot. I'm just trying to grasp the understanding here and figure out what happened.
Cisco Firewall :: ASA 5510 / Add A Mail Server In The LAN And A Webmail Using Port 3000 On The Server?
Jul 24, 2011I'am using ASA 5510 and I try to understand how PAT is working.I want to add a Mail Server in the LAN and a webmail using port 3000 on the server. ( webmail must be reachable from the WAN)This is my Configuration :actually LAN users access internet using NAT with one global IP ( 194.x.x.69) which is the ASA WAN interface.
WAN ----- ISP Router ---------- FW ---------- LAN -------- Mail Server + Webmail
| (25) | (3000)
194.x.x.69 192.168.1.254 192.168.1.6
I need to forward port 3000 and port 25 from outside to inside.For example, from the WAN : [URL] must be redirect toward 192.168.1.6:3000 . What is the Correct Configuration ? And what about the Inside/Outside Traffic,Is there any configuration to add ?
Cisco Firewall :: 5550 ASA To Host On Sl100 For Internet Access
Apr 24, 2011I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside. I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
My DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well. Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any. This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.
Cisco Firewall :: ASA 8.4 / Translate Port 80 From Outside Connection On Port 85 In LAN Server?
Dec 27, 2011i must translate port 80 from outside connection on port 85 in lan server? how can i configure the asa firewall rules for complete this task?
View 4 Replies View RelatedCisco Firewall :: 1841 / Can't Access Public IP Of LAN2 From Host On LAN1
Dec 11, 2012i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
View 1 Replies View RelatedCisco Firewall :: ASA5505 - SSH Timeout / Unable To Access Device From Host
Jul 19, 2007I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
View 3 Replies View RelatedCisco Firewall :: 1841 - Can't Access Public IP Of LAN2 From Host On LAN1
Dec 11, 2012i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
View 3 Replies View RelatedCisco Firewall :: Create Static PAT To Allow Host Address To Access Network Through ASA5510
Aug 23, 2012The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
View 11 Replies View RelatedCisco Switching/Routing :: 3750 Port Forwarding Inbound
Dec 15, 2011I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.
So, I have: Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)
The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ? what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.
Cisco Switching/Routing :: 3750x Inbound Port Policing?
Dec 11, 2012dont seem to be able to get policing working inbound on a port 3750X v 15.0(2)
Config is below:
ip access-list extended SMB
permit tcp host 192.168.1.14 host 172.16.1.30
permit tcp host 192.168.1.14 host 172.16.1.31
[Code]....
Cisco WAN :: Inbound SMTP To Our Exchange Server Through 1841 Rejected
Jan 10, 2011I am deploying a Cisco 1841 in place of our basic DSL router.I have an ADSL WIC and FA0/0 connected to our LAN.LAN IP ADDRESS range is 192.168.1. 0/ 24 I have dynamic and static NAT configured. At this point although I have ACL's configured I have NOT implemented them as yet for the following reason. I am unable to recieve inbound SMTP traffic - now know my MX records are correct as this all owrks happily on our basic DSL router. I can send external emails no problem and all internal email works fine. [code] I am in the process of defaulting the router and programming the barbones to get the link working and see if inbound SMTP works then start building the blocks again.
View 4 Replies View RelatedCisco Firewall :: 5505 Static Nat With Port Redirection 8.3 Access List Using Un-Nat Port
Aug 15, 2012I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies View RelatedCisco Switching/Routing :: Inbound And Outbound Per Port Bandwidth Limitation 3560
Feb 21, 2013I'm intending to purchase a switch for work,and I need to limit the bandwidth of one of the ports to 25 Mbit upload and 25 Mbit download (we have 100/100 Mbit connection and the customer is only paying for 25). I been trying to find information on how this could be "properly" done and what kind of switch I need to buy. As far as I have understood, most L2+ switches support outbound rate limiting, but not inbound, and as I only want the customer to have 25 mbit up and down, I need both.
I been looking at a Cisco Catalyst 3560 switch, and I'm first and foremost wondering if I can limit the inbound AND outbound bandwidth on this switch? Perhaps it can even be done on a simpler, cheaper, switch - as I rather not spend more money then necessary?
Lastly, how to do it, limit the inbound and outbound bandwidth on a single port (perhaps on the above mentioned switch, if possible), to 25 Mbit?
Cisco Firewall :: ASA 5510 - Allow Only One Host Access To VPN Site To Site Tunnel
May 28, 2012I have a ASA 5510 that has multiple site to site VPNs. I need to create an additiona site to site VPN but only allow 1 host to access and traverse the tunnel. The network is on a 192.168.5.x but the host that will need to access this tunnel needs to be on a 172.16.33.x network. I dont want any other traffic allowed to access or traverse the VPN tunnel for this host. How can I set this up?
View 33 Replies View RelatedCisco Firewall :: Inbound UDP Connection 684?
Apr 25, 2012Trying a simple Easy VPN connection and getting the following in the error logs:
Built inbound UDP connection 684 for outside:xx.xx.xx.xx/1106 (xx.xx.xx.xx/1106) to identity:xx.xx.xx.xx/500 (xx.xx.xx.xx/500)
Cisco Firewall :: 5510 - Inbound NAT On ASA 8.4?
Aug 6, 2012I am trying to setup an inbound NAT on an ASA5510 running 8.4 code.
object network obj-192.168.1.2
host 192.168.1.2 (internal web server)
object network NAT-external IP
host ** external IP **
object network NAT-external IP
nat (outside,inside) static 192.168.1.2 service tcp https https
access-list outside_access_in extended permit tcp any host 10.2.0.10 eq https
This seems to be setup now?
sh nat
2 (outside) to (inside) source static NAT-*.*.*.* 192.168.1.2 service tcp https https
translate_hits = 0, untranslate_hits = 0
sh access-l
access-list outside_access_in line 2 extended permit tcp any host 192.168.1.2 eq https (hitcnt=27) 0x59383a04
When I try to connect to the external IP using https I get hits on the access list, however the nat translate hits do not go up?Do I need to allow the 192.168.1.2 server back out again?
Cisco WAN :: Access Server 172.17.0.10 On Port 4899 From Workstation 172.16.1.192?
Aug 4, 2011I'm learning as I go and am having some problems with an ACL:
Extended IP access list 120
permit tcp 172.17.0.0 0.0.0.255 host 172.16.1.7 eq 15871
deny ip 172.17.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.17.0.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
Extended IP access list 130
permit tcp host 172.16.1.192 host 172.17.0.10 eq 4899
permit ip any any
I need to be able to access a server 172.17.0.10 on port 4899 from workstation 172.16.1.192. My ACL's are listed above (obviously!). It's not working as it is. My suspiscion is the deny ip 172.17.0.0 0.0.0.255 172.16.0.0 0.15.255.255 in ACL 120. But that is required as we cant have users from the 172.17 network seeing/accessing the 172.16 network.
Cisco Firewall :: 5505 - NAT Port Range For Sip Server
Feb 7, 2013: Saved
: Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013
ASA Version 8.4(4)1
host name cisco asa
enable password xxxxx encrypted
password xxxxx encrypted
names
interface Ethernet0/0
switch port access v lan 100
interface Ethernet0/1
interface Ethernet0/2
[code]...
Cannot Access Local App Server On Port 8080
May 23, 2011I'm trying to develop and test a website from my iPad. I have my laptop and iPad on same local network, 192.168.1.xThey can see each other over network and I can access the page:192.168.1.105:80 (my laptops local web server) from both iPad and laptop. However the application server runs on port 8080 and I cannot access this from either device/machine. the router's firewall is playing a role, and I have no software firewall running on laptop that I'm aware of (turned off windows 7 firewall).localhost:8080/myWebSite or 127.0.0.1 also works on port 8080.The only combo that does not work is 192.168.1.105 with port 8080. I need this so the iPad can hit the site so I can test locally while developing.
View 4 Replies View RelatedCisco Firewall :: ASA5505 - ACL For SMTP Inbound
Dec 29, 2011I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.
View 1 Replies View Related