Cisco Firewall :: Configuring NAT In 8.3 Using DMZ 2

Sep 26, 2011

We have a requirement where we need to enable a dynamic NAT from DMZ-1 to Inside, I gave the command below, but for some reason it does not work.nat (DMZ-2,Inside) source dynamic any interface,NOTE: The access-list is permitting all the traffic from DMZ-1 and Inside (for test)

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA Version 9.0(1) / Configuring NAT On Intranet Firewall?

Dec 26, 2012

configuring NAT on intranet firewall. here is the my topology:
 
  DMZ Network  - - - - - - - - - External Firewall   - - - - - - - - - Internet
                                                          |
                                                          |    
                                                          |
  Internal Network  - - - - - - - - - Internal Firewall  
 
1) I can Ping the intneral host from external firewall, internet firewall and DMZ network

2) Both ASA's are running OS Version 9.0(1)

3) ACL used permit IP any any, on both (i.e inside and outside)
 
NAT configuration on Internal Firewall  (Identity NAT)
 
object network MGMT-SRV-INSIDE           subnet 10.10.10.0 255.255.255.192
object network MGMT-SRV-identity
subnet10.10.10.0 255.255.255.192
 object network MGMT-SRV-INSIDE           nat (Inside,Outside) static MGMT-SRV-identity

[code]....

View 1 Replies View Related

Cisco Firewall :: Configuring ASA 5505 Firewall

Sep 21, 2012

I am configuring a Cisco ASA 5505 firewall.In the office there is 1 x SBS 2008 server and 5 x PCs, all sat behind a Netgear DGN1000 ADSL router.We want to implement a ASA 5505 for added security.I have configured the internal interface of the Cisco ASA 5505 to be 192.168.0.1 - this is connected to local switch. The client PCs use 192.168.0.1 as their default gateway.I have configured the external ASA 5505 interface to be x.x.x.217. [code]Change the current router status from Router/Firewall/Modem to Modem only (Bridge mode). The ASA 5505 has its outside interface connected into one of the LAN ports of the netgear. The lan port has an IP of 192.168.0.254.

View 3 Replies View Related

Cisco Firewall :: Configuring NAT On ASA Running 8.3?

May 15, 2012

I'm having an issue configuring NAT on an ASA running 8.3. 've managed to configure NAT from the Inside interface to the DMZ, using PAT, so that the traffic is hidden behind the IP of the DMZ interface. This seems to work ok.
 
object network obj_any-18
subnet 0.0.0.0 0.0.0.0
 object network obj_any-18
nat (inside,dmz1.005) dynamic interface
 
The problem I have is when I try to configure a rule for traffic that originates in the DMZ back to the Inside. I can't seem to get any traffic to flow from the DMZ to the Inside, and sometimes I manage to stop traffic flowing in both directions!
 
What would be the best way to configure the return traffic from the DMZ to the Inside.

View 12 Replies View Related

Cisco Firewall :: Configuring VLANs On 5515-X Is It Possible

Mar 29, 2013

I am trying to connect 2 VMWARE servers directly to my 5515-X firewall. [code]ASDM will not let me assign the same VLAN to both Gi0/2 and Gi0/3. I dont want to connect my VMWARE servers to a switch first (that just adds one more component that can fail).

View 4 Replies View Related

Cisco Firewall :: Configuring New ASA 5520 With AIP Module?

May 14, 2011

I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Loss On Configuring Twice NAT

Mar 30, 2012

There seems to be a large number of the subject queries in one form or another.  Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products.   I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.  
 
What I would like to suggest to the experts, is to include far more ADSM web gui examples and discussion for manual nat.   The tools are all there - in the nat rules editing page,  the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing).   What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries.   In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics.  With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios. At the very least I and others like me will get better edumecated.  I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands.  In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .I have added the packet tracing jpegs for further context.  There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic.   What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).

View 2 Replies View Related

Cisco Firewall :: Configuring QOS On ASA 5520 Release 8.0(2)?

Jun 20, 2011

I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?

View 3 Replies View Related

Cisco Firewall :: Command For Configuring NAT On ASA5505?

Dec 5, 2012

want to know the command for configuring NAT on My ASA5505.

Local IP - 192.168.1.0/241

Public IP - 182.73.109.118 255.255.255.252

View 4 Replies View Related

Cisco Firewall :: Configuring VoIP On ASA 5500?

Nov 20, 2011

We have to set up voip for our network(for 50 phones not he cisco phones).
 
I need to just the route the voip traffic to gateway address of telephonic company(1.1.5.7)  where they provide us the connectivity for the setination call.
 
What sort of protocols should i have to enable in pix i saw the concepts like sip, h323, ras, skinny.
 
We are using only voip for asa and no data or other traffic should be allowed.
  
inside adrees: 10.10.10.0/24 for all voip phones
outside:121.21.22.1
telephoneic gateway: 1.1.5.7

View 1 Replies View Related

Cisco Firewall :: Configuring Failover For ASA 5510

Oct 16, 2012

I have two ASA 5510's that I want to setup in a Active/Standby configuration. My only question is on how to connect the inside ports to my LAN. I have 5 Catalyst 3750's stacked together that connect to the ASA's. Should I run the inside interface on ASA1 to a port on switch 1. Then run the inside interface on ASA2 to a port on switch2? And make sure both those ports are in the same VLAN? But, then when failover occured, how to I automatically make it clear the arp cache so the traffic starts flowing out of the right port?                   

View 1 Replies View Related

Cisco Firewall :: Configuring ACLs 3560 In A Lab

Dec 27, 2011

In my lab setup i configured Cisco 3560 switch.

VLAN 20 and VLAN 30 i configured.
VLAN 20 interface IP : 192.168.20.1/24
VLAN 30 interface IP : 192.168.30.1/24.
Inter-vlan communication is happening fine.
 
For testing for purpose i configured extended ACLs. Here is my requirement: I want to stop communication from VLAN 30 to VLAN 20 but not vice-versa.
 
Here i configured like this:
 
access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit ip any any
applied ACL in VLAN 30 interface 'in' direction.
ip access-group 111 in
 
In this scenario, communication is stopping in both directions. If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.
 
From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement). So, solution needed to communicate from VLAN 20 to VLAN 30.

View 1 Replies View Related

Cisco Firewall :: Configuring ASA 5510 From Scratch

Aug 19, 2012

I just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
 
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
 
Network-A (192.168.1.0/24)
   - incoming ssh port 2202 goes to node 192.168.1.2
   - incoming ssh port 2203 goes to node 192.168.1.3
   - handle incoming https (443) requests
   - handle incoming www (80) requests
   - cannot see Network-B or Network-C
 
Network-B (10.0.0.0/16)
   - ssh to nodes on Network-A
   - incoming ssh port 22 goes to node 10.0.0.20
 
Network-C (192.168.2.0/24)
   - ssh to nodes on Network-A
   - incoming ssh port 2210 goes to node 192.168.2.2
 
ASA-5510
   - sends logging to syslog node 192.168.1.3 on Network-A
   - there are DNS and NTP servers located outside

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Configuring Dynamic NAT And PAT

Jan 13, 2013

To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps: 

Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
 
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
 
The following is a capture of the show version:
 
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB  
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
 
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.

View 8 Replies View Related

Cisco Firewall :: Best Practice For Configuring ASA 5505

Jun 6, 2011

I am planning on building the configuration on my ASA 5505, and then distribute that same configuration to several places on ASA5505's.

What is the best way to do this? Screen dumps of the ASDM. Copy the running-configuration from a text file into the ASA5505. TFTP the running-config.

View 2 Replies View Related

Cisco Firewall :: Configuring VLANs In ASA 5505 Switch

Apr 19, 2011

I have 2 ASA 5505 firewalls and 1 cisco 3560 switch.
 
One ASA 5505 firewall and cisco 3560 switch located at SITE-A. Another ASA 5505 firewall located at SITE-B. 
 
Below is the my connectivity:
 
Site-A                                       IPSec VPN                                       Site-B
cisco 3560 <----------------------------> ASA 5505<------------------------------------------------------------------------------------> ASA 5505
 
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
 
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.

View 4 Replies View Related

Cisco Firewall :: 881W IP Configuring Auth Proxy

Apr 15, 2013

Platform: 881WIOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3License:

I have tried both advsecurity and advipservices

Problem: Configuring an auth-proxy redirect on seccessful authentication,Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.

The command is:,ip admission proxy http success redirect <url-string>,However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?

View 6 Replies View Related

Cisco Firewall :: Configuring ASA 5505 With Base License

May 11, 2011

I have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
 
1. First 30 IP addresses only needs internet directly.( Servers and Management)

2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)

View 2 Replies View Related

Cisco Firewall :: Configuring Remote-desktop On ASA5505 8.4.1?

Oct 28, 2012

I am trying to configure RemoteDesktop on a home lab ASA5505 with IOS 8.4.1 and no matter what I tried, I am unable to remote into a local server behind the firewall. I've searched online and found several threads with solutions online including here at Cisco Support Community forum and have tried them all, but have no success. I'm sure it may be something very simple that I've missed.  
 
ASA Version 8.4(1)!interface Vlan1nameif insidesecurity-level 100ip address 192.168.148.5 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 67.x.x.75 255.255.255.128!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2shutdown!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!ftp mode passivedns domain-lookup outsidedns server-group DefaultDNSname-server 67.x.x.75domain-name demo.localobject network insidesubnet 192.168.148.0 255.255.255.0object network rdp-serverhost 192.168.148.105object service rdpservice tcp source eq 3389access-list outside_in extended permit tcp any object rdp-server eq 3389pager lines 24mtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400nat (inside,outside) source static rdp-server interface service rdp rdpnat (inside,outside) source dynamic inside interfaceaccess-group outside_in in interface outsideroute outside 0.0.0.0 0.0.0.0 67.x.x.75 1

View 7 Replies View Related

Cisco Firewall :: Configuring ASA Simulation Interfaces On GNS3

May 25, 2012

I have managed to simulate to Cisco ASA's on GNS3 - ASA1 and ASA2. ASA2 is configured as multiple mode to enable contexts while ASA2 has been configured as single mode.
 
On ASA2 I can assign an IP address to its gigabitethernet interfaces as normal, however I'm unable to assign an interface to the gigabitethernet interfaces on ASA1.

View 2 Replies View Related

Cisco Firewall :: ASA5525 / Got Warning Message When Configuring Nat On 8.3 And Later

Jun 11, 2013

I'm configuring the nat on a ASA5525 running on 9.1.2 and got 2 questions, 1. Is the below overlap warning message normal and will not cause any issue? 2. Is there a simple way on 8.3 and later to fulfill the same functionality like 8.2 and earlier?
 
old config on 8.2 and earlier
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 216.19.84.5

[code]....

View 4 Replies View Related

Cisco Firewall :: Configuring Virtual MAC Addresses On ASA 5520?

Jul 21, 2012

I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
 
failover mac address Inside 0012.3456.789a 0023.4567.89ab
 
The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.Do I get the effect of failover mac address command?

View 1 Replies View Related

Cisco Firewall :: Configuring UC-Proxy On ASA 5505 Version 8.0?

Jan 24, 2012

I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
 
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).

View 6 Replies View Related

Cisco Firewall :: Configuring Inbound Access On ASA 5520

Dec 18, 2011

I have successfully been able to allow outbound access from inbound hosts  on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT.  What I need to do is to configure access to certain inbound hosts from outside.  What's wrong with my running config?  Below are the commands that I believe need to be changed from the configuration. [code]

View 14 Replies View Related

Cisco Firewall :: 5520 - Configuring ASA Management On Sub-interface

Jul 27, 2010

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
 
I need to use 4 interfaces four data traffic
 
1- Inside
2- Outside
3- dmz-1
4- dmz-2
 
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
 
1- I used the management0/0 for The stateful failover.
 
2- I used gig 0 for outside
 
3- I used gig 1 for inside
 
4- I used gig 2 for dmz-1
 
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only

View 6 Replies View Related

Sharing :: Configuring Computers With A Firewall Router

Jun 9, 2011

I can't seem to receive emails although I can send them and my prinet is off line. Had an IT guy come out and got me to the internet but he didn't make sure I was receing emails or able to print.

View 1 Replies View Related

Cisco Firewall :: Configuring NAT Port Forwarding Failover On ASA 5550

Mar 26, 2011

I've two Cisco ASA 5550 firewall. I'm don't have much knowlege on configuring this kind of firewall. I need configuring these firewall for simple NAT. I have 3 public IP address. I would like to allow server's inside of the firewall to be able to connect to internet using private address. A basic NAT. Also need to configure some port forwarding. We've bought two firewall for the Active/Active failover support. How can i configure this through ASDM? My ASDM version is 5.2.

View 1 Replies View Related

Cisco Firewall :: Configuring Ad Agent On Windows Server R2 2008 SP1 RUS?

Jul 9, 2012

I want to configure ad agent on windows server 2008 R2 SP1 with all need patch installed.When i try to connect to DC with adacfg dc list, status is UP. Log ADOBserver's don't show any errors. But when try  to do command "adacfg cache list", result - empty.  In what may be the problem? Perhaps it is related to the language of the OS?

View 4 Replies View Related

Cisco Firewall :: 5505 Configuring RDP Access To Local Server

Jun 10, 2012

I need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as 99.89.69.334 but is working fine.
 
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]

View 8 Replies View Related

Cisco Firewall :: 3900 - Configuring Active / Standby With Dual ISP

Jan 12, 2013

1. We have Two 3900 Router on the core layer which are terminated with one ISP on one Router and Secondary ISP on Second Router.

2. Can we configure my ASA 5520 with Active/Standby termenating two IPS providers one on Active ASA 5520  and Other ISP  on Standby ASA 5520, so that when Active ISP fail ASA Secondary can become Active and send the Traffic throough Secandary ISP.
 
3. The reasion behind giveing Public IP on Firewall is to Terminate VPN on our Firewall i.e. SSL and IPSEC VPN.
  
Few Clarification If we can achive the above:
 
1. How will the DMZ Servicec nated with my Primary ISP on my Primary ASA will be routed when the Secondary ASA is acting as Active Firewall.

2. Can Web SSL and Client To Site IPSEC  VPN users access service  via the Secondary ISP- ASA when my Primary ASA and ISP is down.

View 7 Replies View Related

Cisco Firewall :: Configuring Inside ACLs With ASDM 5.2 / ASA 5005

Sep 25, 2011

I want to restrict outgoing traffic.  Currently the deafault any, any IP allows all traffic from the inside to the outside.
 
So I created some rules to only allow HTTP and HTTPS.  First I configured a rule to allow all DNS (TCP 53) traffic out.  Then I added a rules to allow HTTP (TCP 80) and secure HTTP (TCP 443) out.
 
When I apply and try to surf out to the internet from a box on the inside network I cannot.  Remove the rules which returns the default any, any IP and traffic flows.
 
Packet tracer shows that the traffic should flow.  And I have had minor traffic flowing but slow.
 
how to only allow web surfing from the inside to outside using the ASDM (5.1) to configure?  I realize this is probably a very simple thing, but I only configure the ASA about once every year!

View 3 Replies View Related

Cisco Firewall :: Configuring Ironport C160 Email Appliance

Sep 20, 2011

One interace is setup as the management interface on a 1 subnet  (which is our main network/domain).
Second interace is setup on a 2 subnet (eventually this will be configured to receive incoming/outgoingmail)

I copied most of the settings from our old firewall for testing purposes.  I can ping our old email firewall which on 2 subnet from our main subnet (1) successfully.

The only way I can get a successful ping with the Ironprot is to have the management interface hooked into our main network.  We don't want this.  We do have Ironport firewall and Webfilter setup similar and working fine.Is there someway I can configure this unit to allow both subnets to talk successfully to each other without having the managment interface connected all the time?

View 1 Replies View Related

Cisco Firewall :: ASA 5550 - Configuring Sub-interfaces On Management Interface

Nov 29, 2011

I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
 
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved