I would like to find out if security plus license ASA-5505-sec-pl be applied to ASA5505-K8. I think the strength of encryption should not be determining whether additional feature can be applied or not, but I need to confirm with you people..
View 1 RepliesI am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.
View 5 Replies View RelatedI have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedInternet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
I have a issue where after configuring aaa and rebooting, logging into the console port seems to be auto trying something before it finally times out and let's the user try. I getting the following sequence: [code] I need aaa to work via vty, however I need the device to boot directly to the Username: prompt so I can continue to use my VB script to clear the config when the devices are return from the field.
View 4 Replies View Relatedcrypto map mapName 20 match address NAME_20_cryptomapcrypto map mapName 20 set peer IPADDRcrypto map mapName 20 set transform-set ESP-3DES-SHAcrypto map mapName interface IFNAMEcrypto isakmp identity addresscrypto isakmp enable IFNAMEcrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400crypto isakmp policy 30authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp policy 50authentication pre-shareencryption aeshash shagroup 2lifetime 28800(code)
I need to be sure that when traffic matches access-list "NAME_40_cryptomap" Isakmp policy 50 are used. And then traffic matches "NAME_20_cryptomap" isakmp policy 10 are used. How do i link the crypto map with the specefic isakmp policy?
I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.
View 5 Replies View RelatedIs it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?
View 2 Replies View Relatedit is possible use 1 or 2 Gb memory with ASA 5505 or only 512 Mb ?
View 3 Replies View RelatedI have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks. I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network. I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.
So, here's the problem I am running into:My internal network is 10.10.16.0/16, I have a new domain controller with DHCP on it handing out addresses in the 10.10.16.0/24 range.External Network 1 is 192.168.16.0/24. The services I need from that network are primarily in 192.168.0.0 range, however there is a comcast router 75.123.123.123 (Changed of course) that provides high speed internet I need for my www traffic.External Network 2 is 10.1.1.0/16 I have about 4 servers I need to access on this network and that's it. This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of 10.1.3.180-10.1.3.189 My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing.
So here's my issue:ASA5505 (IN:10.10.16.1, OUT: 192.168.16.6): Passes traffic to External Network 1 and to the comcast router, no problem. All my computers on my 10.10.16.0/16 network have access to everything on 192.168.0.0/24 as well as getting full name resolution and www traffic across the comcast router. Can NOT access 10.1.1.0/16 no matter what. From inside the ASA or from on the inside LAN ports. It CAN ping the PIX 501 PIX 501 (IN:10.10.16.3, OUT: 10.1.3.180) Can ping EVERYTHING. Can ping 192.168.0.0/24, can ping 10.10.16.0/16 and can ping 10.1.1.0/16. Set to globally assign the other IP's in my range as addresses for outgoing traffic.Workstations (IN: 10.10.16.XXX DHCP, using 10.10.16.1 as gateway) Can only access everything on External Network 1. ZERO access to External Network 2. ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going. I will be tightening it up after it is operational.Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.
I just got an ASA 5505 with Cisco Adaptive Security Appliance Software Version 8.0(4) alredy loaded on it. Should I update/upgrade it to the newest IOS release, or is the 8.0(4) good and stable?
View 3 Replies View RelatedI'd like to setup a DMZ network with the ASA5505. Do I need the "Security Plus Bundle"?
View 1 Replies View RelatedI've been trying to get my WRVS4400N connected to my ASA5505 on the internet through a Cox connection, but it isn't working. I cannot get the ASA to be the DHCP server for the wireless router. I've configured the wireless router as a gateway and pointed the DHCP server to the ASA but no addresses are being passed through to the wireless router. I've included a copy of my config.
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
[Code].....
We are trying to utilize a 5 ip block of addresses provided by our ISP. What we have assigned from them is like this: 10.10.10.46 - 10.10.10.50 is our ip range. 10.10.10.45 is the gateway. Subnet is 255.255.255.248. If we assign 10.10.10.46 to the outside interface how do we accept inbound traffic from the other addresses?
View 6 Replies View RelatedI have Vlan 100 (inside) and Vlan 65 (Outside)I'm trying to configure RDP and ping traffic from Vlan 100 to Vlan 65 One way.If I connect 2 PCs on E0/0 and E0/1 they can happily ping the their own VLAN ip add 192.168.100.3 and 172.16.65.1I've copied my config,
ASA Version 8.4(4)1
!
names
!
object-group network A_Network
network-object 172.16.65.0 255.255.255.0
[code]....
I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.
On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.
The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5 webserver is natted with 72.72.72.6
sql inside ip is 192.168.1.2, gw 192.168.1.1
webserver ip is 192.168.2.100 gw 192.168.2.1
sec lvl on inside is 100 and on dmz 50
with a dynamic policy running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...
All i need is to open 1 port ie 6677 both ways for this communication to work.
I'm not very familiar with the CLI and do most stuf in GUI (know i should learn CLI, but time doesnt let me)...
on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure... :-)
I want to make it so if a user tries to use a different DNS server the request will be redirected to the one they should be using.I thought this might work but the ASA doesn't do PB routing
ip access-list extended transparent_dns
permit udp any any eq 53
route-map redirect_dns permit 10
match ip address transparent_dns
set ip next-hop ip.of.your.server
route-map redirect_dns permit 20
[code]....
The DNS server is windows 2003?Would policy based NAT or WCCP work for this? If so how would I go about it?
I would like to use an ASA5505 as a simple LAN-to-LAN ethernet router. My plan is to configure two interfaces with the same security level and then use the command that allows interfaces with the same security level to communicate with each other. I can get this to work without having to setup and ACLs or NAT stuff.
View 5 Replies View Relatedfor the purpose of a redundency, incase the primary ISP goes down the backup kicks in.Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans) Currently not using the 3rd vlan (dmz)
View 5 Replies View Relatedsetting up ASA to allow passive FTP connection! I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works.
Is the ftp inspection killing connection or is it my config?
ASA Version 8.4(2)
!
hostname ciscoasa
enable password vRLm0eRL2O14iLM6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[Code].....
Do some have some realistic performance numbers for a ASA 5505 on a mixed setup with local internet breakout and site to site vpn ( and don't tell me 150 mbps 3des throughput on a 100 mbps ethernet) - what can be expected in a live environment where we f.ex feed it with a 100 mbps internet connection - with a site to site vpn with f.ex 20 office workers running office on a remote terminalserver and mixed local internet breakout.
View 2 Replies View Relatedcustomer's WAN solution, instead of buying routers, purchasing department bought ASA's (don't even get me started!). So I have 5 ASA 5505's for the branch offices and one 5510 for the Head Office. I am trying to get them to behave like routers and pass the traffic across. I set up a lab with a 5505 and the 5510 using an ethernet cable for both Outside interfaces since the WAN links are going to be MetroEthernet Layer 2 anyway.
I tried static routes, dynamic routing, I followed examples from other persons who did it and it doesn't work. I attached the configs here to show I have the default routes, specific static routes pointing the traffic out, any any rules configured as well. I cannot ping from the internal lan of the 5505 to the internal lan of the 5510.
I get that to avoid fragmenting the packets we need to reduce the MTU to 1492, fine, but should the MTU restriction be applied at the virtual-template (server)/dialer (client) or on the physical ethernet interfaces?If I apply it to one or the other, which takes precedence? Should I just apply it to both the virtual/dialer interfaces and the ethernet interfaces?
View 6 Replies View RelatedI have a cisco 887 connected as temp measure to a 3g device via a fast0 port. all works fine. VPN comes up...but the moment i apply the crypto map to the vlan.. DHCP stops allocating ip address. I have remove irrelevant config ( dialer, atm etc as they not been used)
config below
p dhcp excluded-address 10.29.80.253 10.29.80.254
ip dhcp excluded-address 10.29.80.1 10.29.80.229
!
[Code]......
I have a cisco ISE 3355 and WLC 5508 and microsoft Active Directory 2008. I joind the ISE to the ADe successfully and I can see all groups on the AD, also I integrated the ISE with the WLC. my problem is when I created the Authentication policy on the ISE and joined to the AP by the PC nothing applied to the PC.
WLC version 7.4
ISE version 1.1.1.268
my client insisting to set a dscp value of 56 (= CS7 , the highest priority) for their video packet without any bandwith restriction in the input of fast ethernet port and PPP Multilink serial output port of the 7513 router. What will be the outcome at time of video streaming and video conference ? As this dscp value CS7 is the highest priority and reserved for network only.we are using ospf routing (some of the network is connected through this multilink port via ospf routing), also this ethernet is connected to various statice routed ip network via cisco asa and cisco 4507. The keep alive ospf neighbor router will be lost or not?
View 2 Replies View RelatedI have a connection between HQ and Branch which connected by GRE tunnel over IPSec. I use Cisco router 3745 that has IOS version: 12.3(18) and Cisco router 2911 that has IOS version : 15.0(1r)M9 with ipbase, security and data license.
I tried to apply command to both routers as follows:
Cisco 3745 (HQ)
crypto isakmp key test address 10.1.1.2
crypto isakmp keepalive 60
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map vpn01 local-address Loopback0
[code]....
When I appied this command that will show a notification as below:
NOTE: crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface.
*** After appied this command, I cannot ping or send any traffic to HQ. ***
I use this command that is working normally on Cisco router 3745 that has IOS version: 12.3(18) and Cisco router 2811 that has IOS version : 12.4(7b).
it seems that users with active device authorization - e.g. permitting only a certain user defined group - can anyway view all devices or views?Is it possible to apply the same view rule from user management, so that these users can only view certain devices or topologies?
View 5 Replies View RelatedIn earlier versions of LMS it was possible to choose i.e. the Routers category (top level) and enter a series of commands to be excluded from the comparison. In LMS 4.0.1 I experience, in several different installations, that this is not possible. It seems I can enter one exclude command beyond the defaults per category, the rest is not applied even though the feedback from the application is positive. Next time I access the Exclude Commands view, the commands I entered are gone. Is this a change of behaviour or a bug?
View 2 Replies View RelatedSo there are two VLAN's traveling over the port attached to the controller (User vlan 100, and Guest vlan 102). I need to block the guest from everything but the internet allowing the free flow of everything else on the User vlan. All info sanitized of course.I think I have the ACL's correct for what I am trying to accomplish I just can not get this ACL to work on a trunk port.Confirmed the ACL to work correctly on access ports however.
ip access-list extended Wireless
permit ip 172.100.0.0 0.0.255.255 any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain[code].....