I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
View 15 RepliesI am using a squid proxy behind an ASA5520 firewall to collect the users to the internet. Squid is just necessary to log what is going on in order to find a quick solution when the internet slows down.
Considering that I have unlimited licenses and I would like to get rid of squid, I wonder if the ASA has some functionalities to track which websites are being used and how much traffic is generated. If there is not, I would like to know if Cisco offers a good product to replace Squid.
What are the limitations on the max number of concurrent HTTPS connections when using Auth Proxy for HTTPS traffic on a Cisco ASA 5520.
1) What is the max number of concurrent Authentications that the ASA can perform (HTTPS)?
2) Once Authenticated. What is the max number of concurrent HTTPS Authenticated connections to the back end HTTPS server.
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*. I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
version 8.2.(5)
model ASA5520
I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?
internet is working with the client except for gmail account using outlook 2010.
View 1 Replies View RelatedI've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
object-group network inside_subnet_all network-object object inside_subnet_a network-object object inside_subnet_b network-object object inside_subnet_c network-object object inside_subnet_d network-object object inside_subnet_e network-object object inside_subnet_f network-object object inside_subnet_g network-object object inside_subnet_.access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object- group WWW-HTTPS access-list DMZ extended permit object SMTP object dmz_subnet any access-list INSIDE extended permit ip
I have an ASA5520 with mobile VPN Ipsec.The "splitTunnelAcl" set the group is not working.
View 7 Replies View RelatedI have a Cisco ASA5520 that I have setup to allow a GRE tunnel through from a router at site B. This all works fine when I use the below NAT with associated router object on the inside
object network SWTEST nat (inside,outside) static interface
My problem comes in that this kills off my Cleintless VPN connection to the same firewall, I changed my NAT to point at another of my statically assigned IP addresses, and then nothing works. Can anyone help with what I've done wrong, or what i should do? My rule base allows any GRE in from the source, and rules all look fine.
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
I'm trying to setup the SSL VPN portal:When I connect via HTTPS to the ASA5520 outside interface I get the login prompt and after successfully login it takes me directly to the Anyconnect client download (starts Anyconnect immediately) even though in the group policy is configured to not prompt the use to chose the post login and the post login is ste to go to Clientless SSL VPN Portal?
View 7 Replies View Relatedwe noticed that the Cisco Secure Desktop / Hostscan is not working with Internet Explorer 10 on Windows7/Windows8.
As described here, the SSL VPN is/should working but no documentation about Cisco Secure Desktop / Hostscan. url...It's a Cisco ASA5520 with the lates release.
- ASA Version 9.1(2)
- ASDM 7.1(3)
- Cisco Secure Desktop csd_3.6.6249-k9.pkg
- Hostscan hostscan_3.1.03104-k9.pkg
i have configured remote access VPN to cisco ASA 5520, Cisco vpn client is connecting fine and both phases are coming up but ipsec phase packets are not encapsulating. and ima not able reach the remote subnets 192.168.10.0 and 192.168.180.0. [code]
View 4 Replies View RelatedWith regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.
View 1 Replies View RelatedI would like to connect devices to my network so that their traffic passes through a proxy running on my computer. I figured the best way to do this is by setting the proxy on my router to the one I am running, but then I would need to have another connection to the computer running the proxy or else there would be an infinite loop ?? something like that. so:
Internet -> router (1) -> my proxy on comp A -> router (2) -> computer B
I have two asa 5520 firewalls. one at my primary data center connected to our production Internet feed, and one at my fail over data center connected to a backup internet feed. I was wondering if there was an easy way to keep the firewall rules in sync between the two firewalls. We have failover with our isp that will move our public facing address block from our primary site to our dr site in the event of a disaster so the ip addresses will not change if we were to have to fail over to the DR site. currently i just have to do any changes that i make on the fail over server but would like a way to at least simi-automat this if not fully automat this so that i can eliminate the possibility of human error of a change happening at primary but never getting don at DR.
View 1 Replies View RelatedI have a server having windows server2003 os. I have configured my web application on this server which is accessible over internet using static ip. But I found that there is an risk of viruses on my server. Thats why now I want to configure this server behind the firewall/Proxy as well as dont want to share my static IP.Is there any way to keep server protected using firewall / Proxy application which is free. And also tell me how to nat the static ip.
View 4 Replies View RelatedWe just recently upgraded a 5540 ASA running 8.2 to a 5555 running 8.6. I have a question concerning disabling proxy ARP with static nat rules in place. We have several instance where devices in a dmz have a static nat entry to the outside and a static nat entry to the inside using the same IP. My question is if we disable proxy arp on the inside interface would that cause device on the inside not to be able to reach the device in the dmz? From what I have seen you don't want to disable it on the outside interface due to all the static nat translations. But we have some that are have nat translation going to the inside as well. How does proxy arp come into play there? Below is a diagram of an example of the setup I a referring to. This is on the new 5555 running 8.6
View 1 Replies View Relatedi have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?
View 1 Replies View RelatedI access the internet from my company�s LAN, which has a restrictive firewall, so I cannot request the admin to open any ports manually for me. Hence I use a software called your-freedom. This proxy software supports both http as well as socks 4 and 5 proxy (by entering the proxy IP 127.0.0.1 (localhost) and Port 8080 for http proxy OR 1080 for Socks Proxy), and I have successfully been using web browsers and some other softwares that support proxy/ allow proxy info to be entered to login/ connect to the internet. Your-Freedom also supports port forwarding.However, the softwares I intend to use do not have any options to enter proxy methods or proxy ports (as far as I have noticed). I have tried to proxify these 2 softwares using softwares such as SocksCap and Free Cap, but either they don�t work, or my settings in proxifying are not correct. I believe I will have to do port forwarding or proxify the softwares, but have been unable to do so in the correct manner.
Following is the info on the 2 softwares:
1.NOW Trading terminal:[FONT=Times New Roman]Normally when I start the NOW or Zerodha software, the software starts and I get a login screen, but under firewall conditions, I get the initial Splash screen but then the software stops with the error: [b][u]NOW Initialisation failed for Interactive Engine << os error>>.
2.PowerIndia Bulls:The software is written in Java and starts with a batch file (PowerIndiabulls.bat) located in C:UsersDEFAULT_USERNAMEAppD..... I converted this batch file to .exe (with battoexe software) and then ran it through a proxifying software. The .exe start properly without proxifying software but not under proxifying environment. Basically the software needs to connect to the internet using Port 443. I am also expected to keep ports 443, 41599 and 59598 open. software's requirement is available at Indiabulls Securities: Indiabulls Securities is a leading capital market company offering securities broking and advisory services, depository services, equity research services to its clients in India. (item no. 5).To confirm, while the software is unable to connect through port 443, you will get an error message: "Connection to Login Server could not be established" when you try to login with any random Username and Password.To know that the software is able to connect properly, you will get an error: "This User ID is not enabled to be used with this product".
I have a asa5520 with five Internet IP.One for the internet interface and the others are static maped to dmz hosts. It runs rightly until yesterday.Now it will lose the connection to the gateway many times everyday and the dmz hosts can not connect to internet any time. configuration(simplified):
!
interface GigabitEthernet0/0
nameif internet
security-level 0
[Code]....
I called ISP to check,when ISP clear their router's ARP, the asa will lose the connection at the same time and then the ISP's router couldn't learn the ASA's MAC. After I 'clear arp' manually,The ISP's router can learn the ASA's MAC and the connection recovered,but the DMZ's cann't access internet still (of course,There is no problem between DMZ and ASA ,I ping the internet gateway from DMZ host and can not get any reply.).
We have 2 x ASA5520 and I upgraded this to 8.2.2 last year, I see 8.2.5 and now 8.4 is out. If we are having no issues, is it best just to leave it as it is? I can see a couple of features I may find useful in 8.2.5, but 8.4 seems like a huge jump and a risky one too.
View 1 Replies View RelatedI have one firewall ASA5520, are very slow
View 3 Replies View RelatedI am trying to introduce an ASA5520 to my network based on the following diagram: ISP Internet ------> ASA5520 ------- > Cisco Router ------> LAN. The problem is I cannot ping the ASA from the LAN. I can ping it from inside the router. I already allow ICMP within ASA. If i remove the cisco router and replace it by a swich, I can ping the ASA with NO problem.
View 5 Replies View RelatedWe want to use ASA5520 but both Firewall have different CPU. One has CPU Pentium 4 2400 MHz and another has Pentium 4 Celeron 2000 MHz. Can it be configured for replica / failover?
View 5 Replies View RelatedWe have 2 firewalls on PIX facing the Internet and connected to interface e1 (behind it) an ASA version 8.3 Both the PIX (Firewall facing) and the ASA are on the same subnet.
By using Routing statements and statics I have been able to reroute specific traffic to the ASA5520 version 8.3 Now I need to inverse the 2 devices. The ASA5520 will be facing the Internet and the PIX will be behind it.Unfortunately the ASA5520 is refusing to route the traffic to the PIX. The access-lists are open accordingly and a NAT on the ASA has been created.
i have my router connected to ISP then my router directly connected to my ASA5520....i use also ASA5520 as my DHCP Server and i was wondering with the DHCP Server function of ASA 5520 because if i use the ASA 5520 LAN ip ...all workstation will not be able to browse anything from the internet unless i use my ISP DNS IP which they gave me?
View 3 Replies View RelatedGet the following log message on secondary ASA console output when turning on the ASA failover function?
"Mate's service module (CSC SSM 6.6.1125.0) on slot 1 is different from mine (CSC SSM 6.6.1125.0)"
After that the secondary cannot join as a failover unit and shows in disabled status.We have the same model ASA & CSC module and each pair of them are in same firmware (CSC 6.6.1125.0 with ASA5520 8.4(4)1), when I shutdown both the csc modules, the ASA failover works fine.
Upgraded an ASA5520 from 7.x to 8.4 in one step? Release notes for 8.4 state that you can "...upgrade from any previous release directly to 8.4..." I've read the previous version release notes and see the various changes in NAT etc that 8.3 made.
View 3 Replies View RelatedMy customer had 2 asa5520 version:8.0(5)20 and LMS 4.0.1.Two Firewall are "unknow" on LMS, why ?Normally, LMS manages ASA with version 7 min.
View 1 Replies View RelatedAny limits on the number of IPSec sessions an ASA5520 can support over a DSL connection?
Currently, as we increase the number of IPSec VPN tunnels, our LAN switches connected to the DSL/ASA start seeing CRC/input errors. Tried different LAN ports for both DSL/ASA connections - same reults (CRCs and errors). Swapped ASA for PC running 1 IPSEC w/HD video and no issues.
VPN connection bandwidth demand 50% of DSL capacity, so not exceeding DSL bandwidth. Errors get so bad that all VPN sessions drop - sometimes VPN sessions re-establish while other instances a DSL modem reboot is required.
cause of LAN switch connections seeing errors with 4+ VPN sessions established on ASA across a DSL Internet circuit?
Platform: 881WIOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3License:
I have tried both advsecurity and advipservices
Problem: Configuring an auth-proxy redirect on seccessful authentication,Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.
The command is:,ip admission proxy http success redirect <url-string>,However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
recently i have install asa 5520 (8.2) in my networks.Earlier I was using my transparent proxy with 2821 by the following configuration access-list 120 deny ip host 192.168.112.12 anyaccess-list 120 permit tcp any any eq wwwaccess-list 120 deny ip any any route-map PROXY-REDIRECT permit 10match ip address 120set ip next-hop 192.168.112.12 ip policy route-map PROXY-REDIRECT and was working fine. How i can use my transparent proxy with ASA?
View 2 Replies View Related