Cisco Firewall :: Best Practice For Configuring ASA 5505

Jun 6, 2011

I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.

What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.

View 2 Replies


Cisco Firewall :: ASA 5505 Loss On Configuring Twice NAT

Mar 30, 2012

There seems to be a large number of the subject queries in one form or another.  Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products.   I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.  
What I would like to suggest to the experts, is to include far more ADSM web gui examples and discussion for manual nat.   The tools are all there - in the nat rules editing page,  the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing).   What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries.   In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics.  With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. At the very least I and others like me will get better edumecated.  I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands.  In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .I have added the packet tracing jpegs for further context.  There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic.   What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).

View 2 Replies View Related

Cisco Firewall :: Configuring ASA 5505 Firewall

Sep 21, 2012

I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be - this is connected to local switch. The client PCs use as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of

View 3 Replies View Related

Cisco Firewall :: Configuring VLANs In ASA 5505 Switch

Apr 19, 2011

I have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B. 
Below is the my connectivity:
Site-A                                       IPSec VPN                                       Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.

View 4 Replies View Related

Cisco Firewall :: Configuring ASA 5505 With Base License

May 11, 2011

I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)

2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)

View 2 Replies View Related

Cisco Firewall :: Configuring UC-Proxy On ASA 5505 Version 8.0?

Jan 24, 2012

I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).

View 6 Replies View Related

Cisco Firewall :: Best Practice For Log Configuration And Backup In ASA5505

Feb 20, 2011

I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?

View 12 Replies View Related

Cisco Firewall :: 5505 Configuring RDP Access To Local Server

Jun 10, 2012

I need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]

View 8 Replies View Related

Cisco WAN :: Configuring WAN And LAN IP In ASA 5505?

Apr 8, 2012

configuring the Cisco ASA 5505 device to access my both WAN and LAN ip.  LAN ip i need to configure it for web servers to face the internet.

View 11 Replies View Related

Cisco VPN :: Configuring ASA 5505 As Local CA Server

Feb 19, 2013

Im trying to configure remote access VPN on ASA5505. I configured it as local CA server, installed digital certificate on remote station and everything looks fine as far as i can see. I'm using cisco VPN client 5.0 on remote station. when i initiate VPN session it fails while trying to connect. Looks like im missing some configuration but i cannot figure out what it is. Currently i have firewall configured to use group authentication and everything works fine. I want to switch it to use certificate authentication, and if possible, confiure firewall to use main mode instead of aggressive mode for better security.

View 4 Replies View Related

IP Address Scheme From Theory To Practice

May 18, 2012

I'm doing something in class where I have to define a ip addressing scheme for multiple buildings in what im guessing is a campus lan. I understand how to subnet, but was never taught how to put it into practice. I'm having trouble grasping the creation of a network for: multiple buildings(4) with 3 levels/floors each, housing around 2000 students and 400 staff, all needing to access the network in each building.The main hall houses the data center on the first of 4 levels.

View 7 Replies View Related

Cisco Security :: Configuring ASA 5505 Port Forwarding?

Apr 19, 2013

I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack) This is how I setup my remote access:
ssh outside

View 8 Replies View Related

Cisco :: Access Control List Practice Site?

Apr 25, 2013

I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.

View 9 Replies View Related

Cisco :: Best Router / Handset To Get To Practice For CCNA Voice?

May 16, 2011

What's the best router / handset to get to practice for CCNA Voice?

View 2 Replies View Related

Best Practice Router And Switch For ICND1 And ICND2?

Sep 21, 2012

I'm preparing my self for CCENT and I wonder what are your thoughts on what could I buy to create my own lab.

View 6 Replies View Related

Cisco WAN :: 3750X Switch Security Best Practice On Public Networks

Feb 1, 2013

Any pointers on configuring security on a Cisco 3750X switch that sits on a public (WAN) network. It will distribute connectivity to individual ASA firewalls as there are only two main links from upstream. Obviously I'll be disabling the http server, SSH (besides the management interface), etc.I know I can create ACL's, but worried about performance? I'm looking at blocking Netbios and other protocols that are not nessesery on our network. I've been told to disable the default VLAN... is that a good idea? And instead use the management port? I've looked around but there doesn't seem to be much information about what you should enable or disable on public switches.

View 9 Replies View Related

Cisco Switching/Routing :: 6500 STP Config On Port-channel Best Practice

Apr 3, 2012

I have 2 cisco 6500 in a VSS configuration , All of my Lan access switches are Stack switches and every Stack is connected to the VSS in a Port-channel so basically this is a loop free environment with no blocked ports .As a best practice I left STP in the Background (mstp)which enhanced cisco features to STP should I configure on the Aggregator (6500-VSS) and on the Access switches ?
Because of my topology I dont see the need in configuring most features like Uplink Fast and Backbone Fast but I have configured Loop Guard in addition to UDLD on the 6500 Aggregation Switches (on the port-channels).On the access ports I have configured portfast , bpduguard and guard root (seems a little pointless to configure the two...)
1.should I Leave UDLD on and get rid of LoopGuard and configure Guard root instead ? since LoopGuard cannot be configured with Guard Root.
2.should I configure GuardRoot on access ports if I already have BpduGuard on them ?
3.Is there anything I need to configure on the physicall interface or is everything configured on the port-channel since STP reguards port- channel as a single interface ?

View 4 Replies View Related

Cisco VPN :: Configuring L2TP IPSEC VPN On ASA 5505 / Can’t Ping Or Access Resources

May 2, 2011

I’m configuring a L2TP IPSEC VPN on a 5505 asa so that windows 7 clients can natively connect. It connects correctly during Phase 1 and 2, but I can’t ping anything or access resources on the internal network. This is my first time working with an ASA.

Master# sh run
: Saved
ASA Version 8.2(2)
hostname Master
domain-name service.local


View 2 Replies View Related

Cisco Firewall :: ASA Version 9.0(1) / Configuring NAT On Intranet Firewall?

Dec 26, 2012

configuring NAT on intranet firewall. here is the my topology:
  DMZ Network  - - - - - - - - - External Firewall   - - - - - - - - - Internet
  Internal Network  - - - - - - - - - Internal Firewall  
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network

2) Both ASA's are running OS Version 9.0(1)

3) ACL used permit IP any any, on both (i.e inside and outside)
NAT configuration on Internal Firewall  (Identity NAT)
object network MGMT-SRV-INSIDE           subnet
object network MGMT-SRV-identity
 object network MGMT-SRV-INSIDE           nat (Inside,Outside) static MGMT-SRV-identity


View 1 Replies View Related

Cisco VPN :: Configuring VPN Site To Site ASA 5505 With Contivity Nortel

Oct 17, 2012

ASA is configured with the VPN site to site using the wizard, created the Public IP of contivity, local and remote LAN . I attached the configuration. In contivity have the following settings: Not able to communicate both subnets.Do I need to configure IP subnets and published in the contivity as was done in the ASA?

View 3 Replies View Related

Cisco Firewall :: Configuring NAT In 8.3 Using DMZ 2

Sep 26, 2011

We have a requirement where we need to enable a dynamic NAT from DMZ-1 to Inside, I gave the command below, but for some reason it does not work.nat (DMZ-2,Inside) source dynamic any interface,NOTE: The access-list is permitting all the traffic from DMZ-1 and Inside (for test)

View 1 Replies View Related

Cisco VPN :: 5505 Configuring VPN Client To Site-to-site

Jun 3, 2013

We have a Cisco ASA 5505 at our CORP location, which I have configured the Site2Site VPN to our COLO with a Juniper SRX220h, the site to site works fine, but when users access the Cisco VPN client from home, they cant ping or SSH through the Site2Site.  Contacted JTAC and they said its not on their end, so I tried to contact Cisco TAC, no support.  So here I am today, after for the 3 days (including Friday last week) of searching the Internet for over 6hrs a day, and trying different examples of other users. The VPN client show the secured route to [code]

View 19 Replies View Related

Cisco Firewall :: Configuring NAT On ASA Running 8.3?

May 15, 2012

I'm having an issue configuring NAT on an ASA running 8.3. 've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
object network obj_any-18
 object network obj_any-18
nat (inside,dmz1.005) dynamic interface
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
What would be the best way to configure the return traffic from the DMZ to the Inside.

View 12 Replies View Related

Cisco Firewall :: Configuring VLANs On 5515-X Is It Possible

Mar 29, 2013

I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).

View 4 Replies View Related

Cisco Firewall :: Configuring New ASA 5520 With AIP Module?

May 14, 2011

I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.

View 2 Replies View Related

Cisco Firewall :: Configuring QOS On ASA 5520 Release 8.0(2)?

Jun 20, 2011

I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?

View 3 Replies View Related

Cisco Firewall :: Command For Configuring NAT On ASA5505?

Dec 5, 2012

want to know the command for configuring NAT on My ASA5505.

Local IP -

Public IP -

View 4 Replies View Related

Cisco Firewall :: Configuring VoIP On ASA 5500?

Nov 20, 2011

We have to set up voip for our network(for 50 phones not he cisco phones).
I need to just the route the voip traffic to gateway address of telephonic company(  where they provide us the connectivity for the setination call.
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
We are using only voip for asa and no data or other traffic should be allowed.
inside adrees: for all voip phones
telephoneic gateway:

View 1 Replies View Related

Cisco Firewall :: Configuring Failover For ASA 5510

Oct 16, 2012

I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?                   

View 1 Replies View Related

Cisco Firewall :: Configuring ACLs 3560 In A Lab

Dec 27, 2011

In my lab setup i configured Cisco 3560 switch.

VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP :
VLAN 30 interface IP :
Inter-vlan communication is happening fine.
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
Here i configured like this:
access-list 111 deny ip
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.

View 1 Replies View Related

Cisco Firewall :: Configuring ASA 5510 From Scratch

Aug 19, 2012

I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (
   - incoming ssh port 2202 goes to node
   - incoming ssh port 2203 goes to node
   - handle incoming https (443) requests
   - handle incoming www (80) requests
   - cannot see Network-B or Network-C
Network-B (
   - ssh to nodes on Network-A
   - incoming ssh port 22 goes to node
Network-C (
   - ssh to nodes on Network-A
   - incoming ssh port 2210 goes to node
   - sends logging to syslog node on Network-A
   - there are DNS and NTP servers located outside

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Configuring Dynamic NAT And PAT

Jan 13, 2013

To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps: 

Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
The following is a capture of the show version:
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB  
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.

View 8 Replies View Related

Cisco VPN :: ASA 5505 / Configuring Site-to-Site VPN?

Aug 19, 2012

I need to configure Site-to-Site VPN (PSK) between two offices. Both offices have ASA 5505 firewall. Office 2 ASA is going to be behind NAT router (ISP) and it's not possible to turn NAT off. There is still a static IP address. Office 1 has a static public IP address and this IP is directly configured to ASA. I'm very unfamiliar with ASA. From my understanding the NAT won't be a problem when the VPN connection is started from the device that sits behind the NAT router?

View 3 Replies View Related

Copyrights 2005-15, All rights reserved