Cisco Firewall :: DVR 8000 Access Through ASA From Outside
Sep 3, 2012
I have my ASA configured with Static PAT commands. Currently there are 6 DVR machines in my organization with different IP Addresses 192.168.8.1 - 192.168.8.6 and port used by all DVR is 8000.I have a requirement to make these DVR able on Internet for management purpose. Right now i am using below command for DVR static PAT .Now my query is that how can i use port 8000 with all the Static PAT to be used for DVR Access with different IP addresses.Secondly, when i try to hit http://111.119.x.x:8000 from internet i got error The Page Cannot be delayed.
I have a Inspiron 8000 and I just formatted the hard drive. I had been using a D-link wireless USB adapter with a D-Link wireless router - with no problems, but now when I try to reinstall the usb wireless adapter it asks for a hard wired connection to the router and even then it won't install and will not connect wirelessly or with the network cable. it seems the internal Dell network adapter has been affected in some way and will not work - as you can see I don't have alot of pc savy..?
I have a dell Inspiron 8000. The computer will not detect the onboard ethernet jack? It does not show up in the devices list. The lights for activity will not come up when I plug an ehternet cable in to it either..
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0 description Connected To Internet Router switchport access vlan 10
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
I have a server behind an rv042 that i would like to block access to on one port from outside in. I have configured the rule as follows:
priority = 1. policy name<name>. enable<checked>. action = deny. service <service to block>. source interface = wan1. sources = any. destination = <public ip address of server>. day <nothing>.
This does not block the intended port from outside. I also changed the destination to be the private ip address and i changed the source interface to LAN and to *. What is the correct syntax to do this?. Port forwarding is enabled. I noticed that there is one entry in the forwarding table for the public ip but it is going to a dead private ip address. Would this have an effect?
i am using Cisco ASA5510 Firewall in my Network in the distrubition Layer .Private Range of Network Address use in the Network and PAT at the FW for address translation.presently encountering an issue the users behind the FW in my network unable to RDP at port 2000 presented at the Client Network.Able to Telnet on port2000 but not RDP . any changes needed at the FW end to get the RDP Access.
After applying ZBF in a 891, users can not connect to internal resources after a successful VPN establishment. For testing purposes I've created only two zone-pair without using the self-zone, only LAN-to-WAN and WAN-to-LAN. In the last one I've permitted everything in the corresponding class-map. From the point of view of the router, traffic of vpn clients comes in the WAN interface to LAN, right?
Below is the current configuration.
VPN clients get address from the 172.16.73.0/24 pool and internal resources are in the 172.16.72.0/24. Ping from 172.16.73.x to 172.16.7.2 fails.
class-map type inspect match-any CM_LAN_TO_WAN match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any CM_WAN_TO_LAN [Code]....
I can't access our ASA 5505 via SSH from the outside. I've configured this through the ASDM to allow SSH (Device Management > Management Access > ASDM/HTTPS/Telnet/SSH). I added a rule that allows SSH on the outside interface from 0.0.0.0 0.0.0.0. When I try to ssh in with putty, it says "server unexpectedly closed network connection" When I watch the logs on the ASA, it shows a Built inbound TCP connection on port 22, but then immediately a Teardown TCP connection. It doesn't show it's being blocked by any rule. Is there something I'm missing on enabling SSH?
I am migrating an asa 5520 from 8.2 to 8.3 and after the migration the ACL's are blocking access to the DMZ. It looks like the NAT functions were migrated properly by the migration tool but now when I try to access devices in the DMZ the ACL is denying the traffic because my acls in 8.2 had the NATTED IP, not the real IP in the ACL. Now it looks like 8.3 is looking for the real IP and not the NATTED IP.
Here is an example:
Inside network: 172.24.0.0/24 DMZ server real IP: 1.1.1.1 DMZ server NAT IP 2.2.2.2
so, in 8.2 I would have an ACL on the inside interface that said permit 172.24.0.0/24 to 2.2.2.2 eq 80, 443. This acl doesn't work in my 8.3 config because it wants: permit 172.24.0.0/24 to 1.1.1.1 eq 80, 443.
Is this correct for 8.3 or are my NAT rules all messed up after the migration?
I have a PIX 501 with 6.2 FW. The firewall inside network is connected to a Windows server (Mailserver). I can get access to most websites on all clients as well as on the server. However, there are some particular websites, such as facebook.com that the server and all but one client cannot access. I get a "cannot display the webpage" in internet explorer.
I have disabled the Windows firewall and AV. I have also scanned for any malware and no malware was found.
I found on the forums a "fixup protocol dns" solution, but my PIX version does not support it.
I have configured Static NAT on ASA 8.4; and opened the telnet access through following configuration but it is not working. What mistake I am making in my configuration
I have a remote access VPN to our office network 10.42.10.0. however I have some web services that are located in a production network 10.42.1.0 that users in the office network need to access.This is obviously no problem when using remote desktop to an office PC but when users with laptops remote in and try to access the website on the production network it does not work.
Is there any way for the tunnel also to also allow traffic to the production network for the remote hosts?
I have a web server behind my 5505 that I'd like to access from the outside of the 5505 (still within my home network though). Its running on port 3000. I made the changes but I have been unable to access my server from the outside.
I do have an Airport Extreme in from of the 5505 and the 5505 is getting its address via dhcp from the airport. So I'm trying to hit 192.168.2.57:3000 from my wireless airport network.
A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24
An ACL on the DMZ which looks like this:
access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any access list DMZ_IN deny ip any any access-group DMZ_IN in interface DMZ global (outside) 1 interface nat (DMZ) 1 192.168.8.0 255.255.255.0
Nat Control is not enabled (by default) There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.The question is: Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?
A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.
B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.
if log on to the firewall with the enable_15 account remotely via a Cisco IPSec VPN client? Similarly, how do you restrict access to the ADSM to the local LAN for the enable_15 account? Is there a way to tell when a user last logged on via an IPSec VPN?
I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Here's my config below -
I have question about license for ASA 5505. I have to put public access point behind ASA into DMZ. Do I need to hava the unlimited license? Does Securipty Plus license include unlimited users option and 50 VLAN or I will need different type of license.
How can I access my webserver (on my private LAN) from the internet? INTERNET------------(53.X.X.1 )ASA(192.X.X.X)DMZ-----------(192.X.X.80)HTTP SERVER. I can ping my public address on the ASA outside interface 53.X.X.1 form the internet, but I'm not sure how to do this. I tried to NAT, but I'm failing.
Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them.
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
How to configure SSH access on my PIX 506e. I would like to use local authentication with no AAA server. Also I would like to have telnet disabled completely.
