I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.
What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.
There seems to be a large number of the subject queries in one form or another. Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products. I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.
What I would like to suggest to the experts, is to include far more ADSM web gui examples and discussion for manual nat. The tools are all there - in the nat rules editing page, the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing). What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries. In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics. With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. At the very least I and others like me will get better edumecated. I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands. In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .I have added the packet tracing jpegs for further context. There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic. What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).
I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be 192.168.0.1 - this is connected to local switch. The client PCs use 192.168.0.1 as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of 192.168.0.254.
View 3 Replies View RelatedI have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B.
Below is the my connectivity:
Site-A IPSec VPN Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.
I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies View RelatedI need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]
configuring the Cisco ASA 5505 device to access my both WAN and LAN ip. LAN ip i need to configure it for web servers to face the internet.
View 11 Replies View RelatedIm trying to configure remote access VPN on ASA5505. I configured it as local CA server, installed digital certificate on remote station and everything looks fine as far as i can see. I'm using cisco VPN client 5.0 on remote station. when i initiate VPN session it fails while trying to connect. Looks like im missing some configuration but i cannot figure out what it is. Currently i have firewall configured to use group authentication and everything works fine. I want to switch it to use certificate authentication, and if possible, confiure firewall to use main mode instead of aggressive mode for better security.
View 4 Replies View RelatedI'm doing something in class where I have to define a ip addressing scheme for multiple buildings in what im guessing is a campus lan. I understand how to subnet, but was never taught how to put it into practice. I'm having trouble grasping the creation of a network for: multiple buildings(4) with 3 levels/floors each, housing around 2000 students and 400 staff, all needing to access the network in each building.The main hall houses the data center on the first of 4 levels.
View 7 Replies View RelatedI have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack) This is how I setup my remote access:
Code:
ssh 0.0.0.0 0.0.0.0 outside
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies View RelatedWhat's the best router / handset to get to practice for CCNA Voice?
View 2 Replies View RelatedI'm preparing my self for CCENT and I wonder what are your thoughts on what could I buy to create my own lab.
View 6 Replies View RelatedAny pointers on configuring security on a Cisco 3750X switch that sits on a public (WAN) network. It will distribute connectivity to individual ASA firewalls as there are only two main links from upstream. Obviously I'll be disabling the http server, SSH (besides the management interface), etc.I know I can create ACL's, but worried about performance? I'm looking at blocking Netbios and other protocols that are not nessesery on our network. I've been told to disable the default VLAN... is that a good idea? And instead use the management port? I've looked around but there doesn't seem to be much information about what you should enable or disable on public switches.
View 9 Replies View RelatedI have 2 cisco 6500 in a VSS configuration , All of my Lan access switches are Stack switches and every Stack is connected to the VSS in a Port-channel so basically this is a loop free environment with no blocked ports .As a best practice I left STP in the Background (mstp)which enhanced cisco features to STP should I configure on the Aggregator (6500-VSS) and on the Access switches ?
Because of my topology I dont see the need in configuring most features like Uplink Fast and Backbone Fast but I have configured Loop Guard in addition to UDLD on the 6500 Aggregation Switches (on the port-channels).On the access ports I have configured portfast , bpduguard and guard root (seems a little pointless to configure the two...)
1.should I Leave UDLD on and get rid of LoopGuard and configure Guard root instead ? since LoopGuard cannot be configured with Guard Root.
2.should I configure GuardRoot on access ports if I already have BpduGuard on them ?
3.Is there anything I need to configure on the physicall interface or is everything configured on the port-channel since STP reguards port- channel as a single interface ?
I’m configuring a L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA.
Master# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname Master
domain-name service.local
[code]....
configuring NAT on intranet firewall. here is the my topology:
DMZ Network - - - - - - - - - External Firewall - - - - - - - - - Internet
|
|
|
Internal Network - - - - - - - - - Internal Firewall
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network
2) Both ASA's are running OS Version 9.0(1)
3) ACL used permit IP any any, on both (i.e inside and outside)
NAT configuration on Internal Firewall (Identity NAT)
object network MGMT-SRV-INSIDE subnet 10.10.10.0 255.255.255.192
object network MGMT-SRV-identity
subnet10.10.10.0 255.255.255.192
object network MGMT-SRV-INSIDE nat (Inside,Outside) static MGMT-SRV-identity
[code]....
ASA is configured with the VPN site to site using the wizard, created the Public IP of contivity, local and remote LAN . I attached the configuration. In contivity have the following settings: Not able to communicate both subnets.Do I need to configure IP subnets and published in the contivity as was done in the ASA?
View 3 Replies View RelatedWe have a requirement where we need to enable a dynamic NAT from DMZ-1 to Inside, I gave the command below, but for some reason it does not work.nat (DMZ-2,Inside) source dynamic any interface,NOTE: The access-list is permitting all the traffic from DMZ-1 and Inside (for test)
View 1 Replies View RelatedWe have a Cisco ASA 5505 at our CORP location, which I have configured the Site2Site VPN to our COLO with a Juniper SRX220h, the site to site works fine, but when users access the Cisco VPN client from home, they cant ping or SSH through the Site2Site. Contacted JTAC and they said its not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday last week) of searching the Internet for over 6hrs a day, and trying different examples of other users. The VPN client show the secured route to 10.1.0.0. [code]
View 19 Replies View RelatedI'm having an issue configuring NAT on an ASA running 8.3. 've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
object network obj_any-18
subnet 0.0.0.0 0.0.0.0
object network obj_any-18
nat (inside,dmz1.005) dynamic interface
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
What would be the best way to configure the return traffic from the DMZ to the Inside.
I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).
View 4 Replies View RelatedI am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.
View 2 Replies View RelatedI present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?
View 3 Replies View Relatedwant to know the command for configuring NAT on My ASA5505.
Local IP - 192.168.1.0/241
Public IP - 182.73.109.118 255.255.255.252
We have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7) where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7
I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?
View 1 Replies View RelatedIn my lab setup i configured Cisco 3560 switch.
VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.
I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (192.168.1.0/24)
- incoming ssh port 2202 goes to node 192.168.1.2
- incoming ssh port 2203 goes to node 192.168.1.3
- handle incoming https (443) requests
- handle incoming www (80) requests
- cannot see Network-B or Network-C
Network-B (10.0.0.0/16)
- ssh to nodes on Network-A
- incoming ssh port 22 goes to node 10.0.0.20
Network-C (192.168.2.0/24)
- ssh to nodes on Network-A
- incoming ssh port 2210 goes to node 192.168.2.2
ASA-5510
- sends logging to syslog node 192.168.1.3 on Network-A
- there are DNS and NTP servers located outside
To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:
Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.
I need to configure Site-to-Site VPN (PSK) between two offices. Both offices have ASA 5505 firewall. Office 2 ASA is going to be behind NAT router (ISP) and it's not possible to turn NAT off. There is still a static IP address. Office 1 has a static public IP address and this IP is directly configured to ASA. I'm very unfamiliar with ASA. From my understanding the NAT won't be a problem when the VPN connection is started from the device that sits behind the NAT router?
View 3 Replies View Related
