Cisco Firewall :: Frequents Disconnection When Connecting To Servers Behind ASA 5520?
Sep 18, 2011
Since several weeks ago we are triyng to solve a disconnection problem related to servers benind an ASA 5520 behind this ASA there are:
-subnet with public ip addres
-sunbet with prive ip address, the server on this subnet are acccesible via NAT.the problem is worst when some ousite our network and behind a nat device (like a adsl modem/router) tries to connect to those servers wich are using natted ip behind the ASA.I tried from my home to connect to this ASA5520 using annyconnect and get reset tcp packets. Are there some aditional configuration to make the ASA work properly?. We have other firewalls like PIX or software firewall (ASG), they work with no problem. Only the ASA 5520 has this issue.
View 1 Replies
ADVERTISEMENT
Jun 11, 2013
We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
I do not know if this is possible but what I want to do is this:
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.
View 6 Replies
View Related
Oct 9, 2012
I've got VPN connection from Cisco 877 to ASA 5520 and on the Cisco 877 I've got SIP device which doesn't has to go through VPN. I assume that for the best audio quality I should bypass the VPN and connect directly to the SIP servers, but how to configure it??
View 3 Replies
View Related
Dec 20, 2011
We can´t reach DMZ servers from other DMZ servers?If I make a ping from DMZ server to another, sometimes only recieve one ping, sometimes 4, sometimes 0.How can I allow the traffic between DMZ servers??
(ASA 5520 Version 8.4)
View 2 Replies
View Related
Jun 14, 2011
I have installed quite recently a cisco ASA 5520 replacing a linux based firewall I have only 2 zones ..one is internal netowrk and other external the internal network has web servers, dns and mail server all having public IPs Every thing is OK but i have seen that if I try to ping an external server for example [URL] i cannot ping says
[sylvan@kmdns1 ~]$ ping www.yahoo.com
PING eu-fp.wa1.b.yahoo.com (87.248.112.181) 56(84) bytes of data.
--- eu-fp.wa1.b.yahoo.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5010ms
but I can ping from systems which are outside my firewall perfectly with the linux firewall i had before i could ping perfectly to yahoo from any of my internal servers?
View 5 Replies
View Related
Jan 26, 2013
I'm using the Cisco ASA 5520 on GNS3 .. Everything is working fine, except for one thing. The CCP .. I tried the CCP with a router and it worked, but it can't see the firewall.
I have already enabled the HTTP server using "HTTP server enable" and created account using "username admin privilege 15 password admin" also enabled SSH and Telnet on the ASA
"ssh 0 0 INSIDE"
"telnet 0 0 INSIDE"
When I use the CMD to telnet to the ASA, it works just fine .. Also, when I connected a router to the ASA I could SSH to it, as well as using the PuTTy . Is there a way to troubleshoot? Or even a document that illustrates how to configure the ASA for CCP? Better a document for configuring the ASA from scratch .
View 7 Replies
View Related
Sep 30, 2011
Connecting ASA 5520 to two Catalyst 3560G layer 3 switches. What's the best practice to connect the asa-5520 at the edge, to the core of my network? What I'm looking to do is connect two routed gigabit ports (gi0/2 and gi03) to two seperate layer 3 routed ports on catalyst 3560G. I'm wondering how to do it, or if there's any type of failover method? I'm running EIGRP in the network and the link to the first core switch has a /30 point to point connection. Everything works fine, I'm just not sure how to connect the second switch to the firewall. Should I use the a different /30 for the point to point connection to csw02 gi0/48? (See attachment) How would this affect traffic flowing through this interface? Would I have to duplicate rules I have on my inside (gi0/2) interface? Is there a way to make the inside2 interface standby some how? I want to know the best way to set this up, so in the event csw01 goes down I don't loose internet. Will EIGRP work it's magic and only use 1 path to the ASA? Should I even be using routed interfaces on the ASA and just use trunked mode?Running ASA 8.4?
View 1 Replies
View Related
Apr 18, 2011
I have ASA 5520 running ver 8.3.(2)8 and configured for AnyConnect VPN. While testing for iPads and iPhones we noticed that on connecting it disconnects few times before finally connecting. These are the messages logged in the ASA.I don't see authenticatio as an issue. Results are better with wifi compared to 3G. [Code]
View 1 Replies
View Related
Dec 16, 2011
I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.
View 4 Replies
View Related
Apr 19, 2012
i don't know any thing about connecting clients to servers & it's methods & requirements
View 7 Replies
View Related
Jul 19, 2011
there are more than 15 servers which include xen,esx,vmware,also san etc..which are connected to L3 core switch directly. And vlans are created for each.....xen,iscsi,vmware,xen,server. wanted to know is there any other technology other than directly connecting servers to core switch and assigning vlans that can be used in place?
View 4 Replies
View Related
Feb 3, 2011
laptop is not connecting to internet? what can i do?
View 2 Replies
View Related
Mar 14, 2012
We have 2 nexus 5K installed in our data centre recently and we are connecting new three servers to nexus switches. Each server has 2 10GB ports . 1 port of serverA is connected 5K1 and other port is connected 5K2 ( sameway other 2 server connected to Neuxs 5K1 and 5K2 Switches).So do we need to create each VPC with Portchannel (like VPC 1,2 and 3 ) for each server connection?
View 11 Replies
View Related
Feb 10, 2013
We are using CISCO Catalyst 6500 switches as collapsed core/distribution switches (2 layer architecture). I want to connect approximatly 10 application servers to the network. Can I connect the servers directly to the catalyst 6500 switches using WS-X6148E-GE-TX line cards? The other option is to use access switchs and then connect the servers to the catalyst 6500 through access switch(Catalyst 3750).
View 6 Replies
View Related
Jan 27, 2012
windows server 2003,ISA server 2000 Networking :: Connecting ubuntu desktop?
View 1 Replies
View Related
Jul 4, 2011
Final results are that if I hard ware connect my computer to my PS3 I can acces Media Servers.When connected through the router though my computer acknowledges the PS3, it cannot connect to Media Servers.I have the Linksys BEFSR41 v4.3.
View 3 Replies
View Related
Nov 21, 2012
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
View 11 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Feb 18, 2013
I have 2 modules of FWSM in 6500 switch (failover).I need 5 context.When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context),In transparent mode, it is not happening.what is the problem with routed mode?
View 1 Replies
View Related
Feb 8, 2011
I have setup an AnyConnect Connection Profile on my ASA 5520.
We have some remote support software which the helpdesk use to connect to PC's remotley and torubleshoot.
I cannot connect to this software using the assigned IP address of the client even though it works fine with our old Nortel VPN.
If I hit the IP address the packet gets all the way to the ASA and seems to disappear.
I have setup an IP v4 access list on the connection profile which allows any/any access b ut still no joy.
View 1 Replies
View Related
May 27, 2013
I have a multiple Offices in my location , all my external users are connecting my site using Cisco Client to site VPN and accessing my 2 sites , All users are able to access my 2nd office servers which are in 10.10.0.x pool , I have a different vlan in that same location with 10.10.35.x series and users are not able to access this pool servers , I am not much familiar with Routing . i am using ASA 5520 firewall .
View 11 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
May 5, 2013
I have an asa 5520. How would I configure my dedicated management interface to be able to route off subnet while the firewall is in transparent mode?
View 1 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Apr 15, 2013
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
View 1 Replies
View Related
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
May 22, 2013
I have ASA 5520 installed. I want to use ntp server for firewall clock setting. I found one open-access ntp server (stratum 2) in Los Angeles:
[URL] 209.151.225.100
Can I use the following command to set ntp server?
ntp server 209.151.225.100 source outside.
View 3 Replies
View Related
Jan 1, 2012
communication between 2 vlans.i have 2 vlans
Vlan 100
ip add 1.1.1.1
!
!
!
Vlan 200
ip add 2.2.2.2
i want to make communication between 2 vlans on firewall 5520 ASA 8.2.
View 1 Replies
View Related
Feb 27, 2011
I have a serious problem with my corporate firewall, witch is an ASA 5520, fv 8.3, with 8 +1 interfaces. It suddenly started to crash every 10/20 minutes and rebooting alone.
First of all I checked system resources witch are in a very low usage state. I also checked interfaces errors, but nothing strange come out o from error counters analysis. I tried disabling logging and all the service policy rules configured, but nothing changed.
Nothing changed and firewall continue restarting by itself.
Last logs I received before crash were:
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack =
%ASA-4-711004: Task ran for 35 m sec, Process = Dispatch Unit, PC = 84a619e, Call stack = 0x084A619E 0x084A6512 0x084A70E1 0x084A7987 0x084A7AAA 0x08558B9B 0x08558E8A 0x083D3518 0x083CA145 0x080659D1 0x089196D9 0x08919790 0x089FF711 0x08A27468
Here the sh crash info command on module 0, after last reboot:
[Code] ......
View 12 Replies
View Related
Nov 29, 2011
we are having a firewall asa 5520 .we have connected the management port and inside port to internal network and dmz port to dmz network.now we need to configure tacacs and other management tool on dmz devices through management port. The problem is the management devices tacacs and other are placed in internal network.
View 2 Replies
View Related
Oct 4, 2012
I have an ASA 5520 in my company which does all our NAT and Firewall access control. Currently there is a rule in place to allow an incoming connection on port 2222 from a specific ip address to allow access to a web app our developers created. This is a test before the web app is released live. Now the web app can communicate with the specific address and port but the incoming connection on port 2222 isn't getting through. Everything looks great in the firewall but how can I log any hits this ACL takes to identify any potential problems?
View 2 Replies
View Related
Apr 8, 2011
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:68.22.26.66/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
View 1 Replies
View Related
May 29, 2012
I have problem in the configuration of Cisco ASA 5520, IOS version 8.4. The connection is as follows: LAN network--> Firewall --> Routers with GLBP with virtual ip address. the clients can not ping the virtual interface of the GLBP group, but I can ping it from the firewall, and I can ping the clients from the firewall, I checked the packet tracer it gives :
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside10,outside) source dynamic LAN interface
Additional Information:(code)
View 1 Replies
View Related
