Cisco Firewall :: DMZ Sub Interfaces Into Sub Interface Of Asa5510

Jul 5, 2012

We have ASA FW 5010 in our organization and we have 4 DMZ's under the DMZ interface on ASA and all DMZ's are created on sub interfaces and assigned different VLANS on each DMZ's.

View 7 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5510 Multiple Outside Interfaces

Jun 16, 2011

We have an ASA 5510 firewall.  There are 4 ports on it configured as 2 outside, one inside, and one DMZ.  We have two cable modems attached to the outside ports.  Our plan is to have the "inside" port directed to one outside port/cable modem, and the DMZ port directed to the other outside port/cable modem.
 
We have been able to get the "inside-to-outside" setup to work but not the "DMZ-to-outside" setup (at least at the same time).First off, is this possible?  If so, what are we likely missing - some way to have a second default route for the DMZ?(My manager is the "Cisco person" here, not me, so I may not have enough info.

View 1 Replies View Related

Cisco Firewall :: Gigabit Interfaces In ASA5510-SEC-BUN-K9?

Jul 14, 2011

I know with a ASA5510-SEC-BUN-K9, you can increase eth0/0 and eth0/1 to gigabit with the right IOS.  Is the same possible with the CSC version of the ASA?

Exact pn is ASA5510-CSC10-K9.  I believe I only have the base license for the ASA, but the security plus for the CSC.

View 4 Replies View Related

Cisco Firewall :: Can ASA5510 Be Configured To Use 2 Outside Interfaces

Feb 12, 2013

I am trying to determine if this is possible or not.  I have tried several configurations and I can only get half of it to work.
 
LAN (10.1.1.0/24) =====>                      <===== OUTSIDE (T-1)
                                            ASA5510
DMZ (10.1.10.0/29) ====>                      <===== BACKUP (DSL LINE)
 
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line.  No inside traffic (inbound or outbound) should go through the T-1.  No DMZ traffic (inbound or outbound) should go through the DSL line.
 
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.

View 3 Replies View Related

Cisco Firewall :: ASA5510 Static Nat From Outside To 2 Internal Interfaces?

Mar 18, 2012

I have an ASA5510 running 8.2 code and I have over 200 static nats from  the outside to the inside interface and that is how I expose our systems  to the Internet.  If this inside interface fails we also have a bypass  interface that also terminates on the internal network but I am not sure  how the nats will behave given they are statically mapped to the  inside.

View 1 Replies View Related

Cisco Firewall :: ASA5510 Possible To Upgrade Module Of Interfaces From 10mb To 1gb

Jul 29, 2012

I am using Cisco ASA5510 Firewall in my network.  Upgraded the Memory and Flash  to 1GB and 512MB.But the 5 interfaces  ports are  10mbps.Can it possible to upgrade the module  of Interfaceses from 10mb to 1gb?

View 2 Replies View Related

Cisco Firewall :: ASA5510 - Verifying NAT Is Fully Disabled Between Two Interfaces?

Jun 24, 2012

I am trying to configure two inside interfaces without NAT. I am not using nat-control and I have added exemptions for the two networks. I can communicate between the two networks and to the Internet just fine.I would like to verify that NAT is disabled between the two interfaces. I also need to make sure that the Interface IP (specifically for the traffic from inside-test to  the inside network) is not added to packets between the two networks. I would like to be able to verify this as well. In other words I need to have the Source IP address from the originating connection on the inside-test network passed along through to the Inside network device without being replaced by the Interface's IP address. This is a test config for a production environment that will be using a load balancer. The config I have may be working in this regard and the load balancer may be replacing this IP address (that is what I am trying to test), but I am not certain.So far I have the following NAT related running-config command (in regards to these two interfaces):
 
access-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 interface insideaccess-list NAT_Exempt extended permit ip 192.168.3.0 255.255.255.0 interface Inside-testaccess-list NAT_Exempt extended permit ip 192.168.12.0 255.255.255.0 192.168.3.0 255.255.255.0access-list NAT_Exempt_2 extended permit ip 192.168.12.0 255.255.255.0 interface insideaccess-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 interface Inside-testaccess-list NAT_Exempt_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list NAT_Exempt_2nat (inside) 1 0.0.0.0 0.0.0.0nat (Inside-test) 0 access-list NAT_Exemptnat (Inside-test) 1 0.0.0.0 0.0.0.0
global (outside) 1 interfaceglobal (Inside-test) 1 interface

View 11 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
 
Below is a sanitized version of the config.

ASA Version 8.2(1)
!
hostname BOB

[Code].....

View 11 Replies View Related

Cisco Firewall :: How To Enable ICMP Between Two Inside Interfaces ASA5510

Feb 20, 2013

Today I run into a problem with enabling ICMP traffice between two inside interfaces on ASA5510 (version 8.2). I tried to ping from 192.168.1.2 to 192.168.2.2  Failed. But I can visit outside websites or ping from any of the two addresses above to 8.8.8.8 So I checked the configuration shown as follow

<omitted>
interface ethernet0/1
nameif inside

[Code]....

View 3 Replies View Related

Cisco Firewall :: ASA 5550 - Configuring Sub-interfaces On Management Interface

Nov 29, 2011

I am currently doing some research (for my employer) into creating multi-context sub-interfaces on a Transparent ASA 5550.
 
I have not been able to find any details on this subject which state it is or it is not possible. This will be used for Syslog logging.

View 1 Replies View Related

Cisco Firewall :: 5520 Recreate Logical Interfaces For Each Physical Interface

Nov 29, 2012

We have to enable FIPS 140-2 on our ASA5520's for all our IPSEC VPN connections.   We currently have failover on our 5520's. I found a lot of information out there but some seems to conflict one another.What are the things I need to look out for - caveats? Does the clients that connect to the VPN had to use different clients once the FIPS was enabled.Do we need to recreate logical interfaces for each physical interface we have?

View 1 Replies View Related

Cisco Firewall :: ASA5510 Firewall Interface Speed

Jul 21, 2011

I have a ASA5510 and I have a question about the speed the ports can handle, here is one port:
 
-interface Ethernet0/2
- speed 100
-shutdown
- no nameif
-no security-level
-no ip address
 
it's ethernet and not fastethernet so I figure it will only go to 10Mbps, but at the same time I can hard code the speed to 100.

View 2 Replies View Related

Cisco Firewall :: ASA5510 / How To Hide All IPs Behind An Interface

Dec 17, 2012

We use filter rules on an ASA5510 firewall to direct clients to a web filtering server which generally works very well.  However lately we're finding that despite having more web filtering licenses than users, the web filtering licenses are being consumed up, mainly because of a recent increase in the rollout of ipads, iphones, androids etc. We  could deploy a proxy server in the wireless DMZ to make all the  wireless devices appear to web filter as a single IP, and apply a single  policy, but that brings it's own problems. My question is: Is there a way to hide them all behind the interface IP instead, so that all wireless devices appear to the web filter on the LAN as the wireless dmz interface IP rather than the wireless device IP?

View 1 Replies View Related

Cisco Firewall :: Switch ASA5510 Outside Interface Connection

Mar 10, 2011

Our ASA 5510 is running 8.0(5). We recently upgraded the license from base to security plus. By doing so the capacity of the the external port Ethernet0/0 and Ethernet0/1 should increase from the original FE to GE. But, we were still seeing 100 Mbps on our Ethernet0/0 interface. We figured that out that the provider switch is only supporting 100 Mbps which is a bottleneck for us.The provider will be upgrading there switches to 1 Gb switch.
 
We will have to swap the switch connections now from 100 Mbps to 1 Gb switch.What commands should we be familar ourself with?Though this will be doine in our maintenace window.All the transaltions/connections will be dropped in our production environment so we are kind of scared.

View 3 Replies View Related

Cisco Firewall :: ASA5510 - Block IP Address From Outside Interface

Jun 23, 2011

Recently, I've been having significant problems with denial of service on our ASA-5510. Two IP addresses in particular attack my ASA regularly. What kind of rule do I need to create to deny these IP's access to my firewall?

View 4 Replies View Related

Cisco Firewall :: ASA5510 Impossible To Ping Outside Interface

Aug 4, 2011

I'm currently configuring an ASA5510.I connected a laptop (IP 192.168.96.18/255.255.255.0) to port 0/2 and tried to ping 192.168.100.2 ... impossible to ping outside interface.I resetted the config of the ASA to retest more simple. [code]

View 1 Replies View Related

Cisco Firewall :: ASA5510 - Cannot SSH Or ASDM To Management Interface

Jan 21, 2013

I try to SSH and get access denied.
 
I try to ASDM and get "Unable to launch device manager from 172.16.252.100"
 
I think I am missing something. Software is 8.4(5) and running in Transparent Mode.
 
Inside/Outside are in bridge-group 1. No BVI is configured as we will be using Management0/0 for access.
 
login as: test
test@172.16.252.100's password:
Access denied

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA5510 8.4(5) Outside PPPOE Interface Not Available In Site

May 13, 2013

We have a Cisco ASA 5510 with:
-version: asa845-k8.bin
-ASDM: asdm-711-52.bin
 
Interface "Outside" is a PPPOE configuration.We currently have 36 site to site VPN connections up and running through the "Outside" interface. Now when we try to add, via ASDM, a new site to site VPN connection, we can not choose the "Outside" interface. The interface is just not available. All other interfaces are, bot those are inside interfaces.
 
I tried running ASDM on a different computer (thought that ASDM or java got corrupted perhaps), but the same problem appeared.Now when we "shutdown" the outside interface and "no shutdown" it again, the "Outside" interface is available again when you add a new site to site VPN profile.
 
Sidenote: if we check the current profile of a succesful running site to site VPN, it say's that it's using an inside interface. But that is, ofcourse, not possible.

View 3 Replies View Related

Cisco Firewall :: Managing ASA5510 Using ASDM Via Internal Interface

May 17, 2012

I am currently managing an ASA5510 using ASDM through the management port but I would like to manage the ASA through the internal port.
 
My concern is that I thought I remembered reading someplace that if you setup an internal port for management that it can't be used for anything else.  Is this correct?
 
I only configured one internal port and it is the path to my LAN.  I would hate to configure the port for management only to find that I disconnected my firewall from my internal network in the process.  Can I use my one and only configured internal port for both ASA management and route from my LAN thru the ASA firewall?
 
I currently have the management port set to 192.168.1.1 and my internal interface is 10.1.1.1.  If I open ASDM and connect thru the management port and select Configuration/Device Management/Management  Access/ASDM/HTTPS/Telnet/SSH
 
select "ADD"
select access type "ASDM/HTTPS"
select interface "internal"
IP Address   "10.1.1.0"
Mask       "255.255.255.0"
 
Will that give me access to ASA management thru my internal network but cripple my network access to the ASA? 

View 6 Replies View Related

Cisco Firewall :: ASA5510 Doesn't Shun Host From Outside Interface

Sep 13, 2011

I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
 
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.

View 2 Replies View Related

Cisco Firewall :: ASA5510 Pairs - Changing External IP And Interface

Mar 27, 2011

We have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
 
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
 
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?

View 4 Replies View Related

Cisco Firewall :: ASA5510 - Web Interface On NAS From Remote Site Across VPN Tunnel?

Dec 3, 2012

I have two routers on my internal network.

10.10.199.106 is a Cisco ASA5510.

10.10.199.108 is a Sonicwall NSA 3500
 
The sonicwall handles our site to site VPN tunnels.  The Cisco handles our client to site VPN connections.
 
I have a unit that points to 10.10.199.106 (Cisco) for internet access.  All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
 
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel.  The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
 
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway.  However, I cannot hit the unit that uses .106 (Cisco) as it's gateway. 
 
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel.  If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.

View 4 Replies View Related

Cisco Firewall :: ASA5510 - Change Public IP Address On Outside Interface?

Mar 10, 2011

we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.

From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.

View 1 Replies View Related

Cisco Firewall :: ASA5510 - Additional Public IPs Added To Outside Interface

Jul 31, 2012

I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.

i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
 NAT 2.2.2.1 to 10.1.2.3

or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
 
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?

i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27

Can I use 1.2.3.31 and NAT it to an internal server?

View 3 Replies View Related

Cisco Firewall :: Failover On ASA5510 - Reason Of Interface Tests

Jun 24, 2011

Do I correctly understand that when two ASA 5510 are in fail over pair, the switchover from primary to secondary if one interface of primary goes down shall happen ONLY if failover link is up? So when the fail over link is down and one interface on primary got down also,  interface tests between the two ASAs still are being done , but secondary SHALL NEVER try to become active.

In this case why to make  tests on data interfaces ? What is the reason to make them? If the knowledge of that some interfaces  of primary became down comes through failover link - no need to make additional interface tests - primary will tell about the failure to secondary. If so should run no monitor-interface  if name command to dis load devices and network by foolish  tests?

View 5 Replies View Related

Cisco Firewall :: ASA5510 Static Routes For Management Interface Not Working

Mar 30, 2011

We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
 
e0/0 = outside
e0/1 = inside
m0/0 = management
 
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
 
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
 
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
 
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
 
route management 10.72.211.0 255.255.255.0 10.72.232.94 10   <------------- this works
 
route management 10.72.211.79 255.255.255.255 10.72.232.94 10   <------------- this works too
 
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
 
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
 
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
 
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA5510 - Routing / NATing From Internal Network To Outside Interface IP

Jun 3, 2012

I have an ASA5510 running version 8.2(5) I am having an issue with routing/natting from an internal network to the outside interface IP on port 443 which has a nat back in to another internal address. i works externally in from a public address. i also see log messages to do with IP Spoofing

View 1 Replies View Related

Cisco VPN :: ASA5510 Can't Seem To Route Traffic To Both Interfaces

Sep 12, 2012

I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?

View 14 Replies View Related

Cisco Firewall :: Difference ASA5510-BUN-K9 And ASA5510-Sec-Bun-K9

Jun 6, 2012

ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?

View 3 Replies View Related

Cisco :: 2951 - Interfaces Send Netflow Data Despite No Flow Config Under Interface

Aug 17, 2011

Cisco 2951 w/ HWIC-4ESW
IOS 15.0(1)M5 
#sh ip flow int
Vlan533
ip flow ingress
ip flow egress
#
 
The SVI sends the flow data just fine, however I also continue to receive flow data from most other interfaces.
 
I have attached a screenshot of one of our netflow collectors indicating that many of the interfaces are sending flow data even though not configured to do so. We have two different netflow collectors, from different vendors and both confirm the same interfaces sending flow data.
 
Normally I wouldn't care and ignore it, however one of them uses a license limit by interface and is a bit problematic.

View 2 Replies View Related

Cisco VPN :: ASA5510 8.2 Outside Interface With Dhcp

Mar 14, 2013

on the outside interface i cant perform the command ip address dhcp setroute.I get the error: IP and subnetmask form invalid pair indicating broadcast or network address.The commands are there when I do the ? command.  It just will not accept the command with or without dhcp.I am trying to test an ASA-5510 as a 4G failover to our ASA-5520.  This is Verizon's solution but they did not provide IPs, they use passthru on the 4G modem so I'm trying to set up dhcp.  It worked a few days ago.  Not sure what Im missing. The IP I got last time from Verizon was 192.168.0.199. 

View 7 Replies View Related

Cisco VPN :: Configure ASA5510 For L2L VPN Not Using Outside Interface?

Apr 2, 2013

I currently have an ASA5510 with 2 interfaces (outside and Inside) running remote VPN for clients and L2L VPN for a couple of sites. I have traffic entering the inside interface, matching interesting traffic, being wrapped up in IKE / IPSEC and sent out via the outside interface. All straightforward so far.Now I have a new VPN which is required to go over another interface and not the outside. The traffic comes in to the inside interface as normal and should be matched via ACL, encrypted and sent out th e new interface however the traffic is simply sent out of the outside interface and doesn't get any IKE headers. If I reconfigure the interface to be be the outside it does at least match the ACL, wrap it up nicely in IKE and try to get to get to the remote peer.My questions are why does this behaviour occur and why isnt the traffic marked interesting and sent out the new interface.I don't have any issues creating a new VPN if I want it to go external, I just add the required information to the outside_map but i need the traffic to be encrypted and sent over another interface. I not a huge fan of the GUI for this but I've tried both CLI and GUI with the same results.

View 2 Replies View Related

Cisco Security :: ASA5510 - MTU On Outside Interface

Jul 23, 2011

i have a strange issue on a link between two ASA5510: both ASAs are interconnected by a P2P Fastethernet link, and the traffic between both ASAs is being secured by a L2L IPsec tunnel. The configured MTUs are 1500, however packets bigger than 1020byte are being dropped. IOS is 8.0(5). I didn't find so far any CAVEAT describing it.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved