I would like to know how can we allow traffic on ports 3389 (rdp) and 8007 which comes from any to 192.168.2.10 but pretend to be a Phones interface 192.168.2.1? [code]
View 9 RepliesThere is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies View RelatedI have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
ip access-group 145 out interface Internal
This work great on a 2821 Router, but not so much on the ASA.
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
View 1 Replies View Relatedenabling traffic between interfaces on the ASA 5510. Of course I have an outside interface E0/0 and an inside interface (E0/1) for normal operation. The idea was to enable one of the remaining interfaces on the 5510 to attach an internal network resource to for management in case we lost our switch. I am using E0/0 as the outside interface and the inside interface is E0/1. I am wanting to attached a management device on the same inside network IP address range for simplicity. I have E0/2 configured for the same security level (100) as the other inside interface and I also have enabled same-security-traffic permit inter-interface as well but I still cannot access the device on that port. Is there something else I am missing? I guess the best way to explain this is that I want ports E0/2 and E0/3 to act like a "switch" so to say...... The ASA 5505 lets you do this pretty easy but having trouble on the 5510.
View 4 Replies View RelatedI have a question around pix 501 (6.3) configuration. I am trying to allow traffic from a single Citrix CAG across a variety of ports (80,443,9001-9005,27000,7279,1494,2598) from external (dmz) interface through to multiple addresses (on the same ports) on the internal (secure) network and dont know how to best approach it or if its possible. The only way I have found to allow traffic through is via Static Nat entries which I cant see will work for this requirement as we need some ports to be allowed into multiple addresses.
View 6 Replies View Related192.168.1.10 --> ASA 1-----> ASA 2-------> ASA 3----> server (172.21.16.15)
We have opened 3389 , 80 & 445 ports on all firewalls ( ASA 1, ASA 2, ASA ) for server (172.21.16.15) from (192.168.1.10).We are able to see connection in ASA 1 under show connection for 3389, 445 ,80.
We are not able to see connections in ASA 2 & ASA 3 under show connection for 3389. But we are able to see hits in ACl.
I'm trying to get my ASA 5505 (IOS 8.4) to work, but got stuck on NAT because I would like to allow 3389 access for just a couple of WAN IP's. This is what I found so far:
(config)# object network Internal_RDS(config-network-object)# host 192.168.1.10
(config-network-object)# nat (inside,outside) static interface service tcp 3389 3389(config-network-object)# exit
(config)# access-list inbound permit tcp any object Internal_RDS eq 3389
(config)# access-group inbound in interface outside
But this will allow all WAN IPs to access 192.168.1.10 over port 3389 I guess? I would like to allow only some WAN IP's
I would like to setup an cisco ASA 5505 to only allow certain IP's on port 3389, but i can't get it to work. Maybe some of you experts know why?
Here is my config:
ASA Version 8.4(3)!hostname cisco-asaenable password ** encryptedpasswd ** encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.* 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network rdpuser-1host 46.*.*.*object network rdpuser-2host 48.*.*.*object network rdp-host-pchost 192.168.1.20object
[code].....
The allowed IP's are setup on user level (rdpuser-1 and rdpuser-2) .Still do, I can't connect to the server from any of these IP's...
we are not able to access port 3389 on host 10.45.4.2 over our vpn connection. vpn is up and running and we can access othet tcp ports on the host but not 3389. hereunder part of the config:
ip http serverno ip http secure-serverip nat inside source route-map SDM_RMAP_1 interface BVI1 overloadip nat inside source static tcp 10.45.4.2 18330 94.229.51.184 18330 route-map SDM_RMAP_2 extendableip nat inside source static tcp 10.45.4.1 3389 213.148.231.156 3389 extendableip nat inside source static tcp 10.45.4.1 5800 213.148.231.156 5800 extendableip nat inside source static tcp 10.45.4.1 5900 213.148.231.156 5900 extendable!access-list 1 remark SDM_ACL Category=16access-list 1 permit 10.45.4.0 0.0.0.255access-list 100 remark SDM_ACL Category=4access-list 100 remark IPSec Ruleaccess-list 100 permit ip 10.45.4.0 0.0.0.255 10.45.1.0 0.0.0.255access-list 101 remark SDM_ACL Category=2access-list 101 remark IPSec Ruleaccess-list 101 deny ip 10.45.4.0 0.0.0.255 10.45.1.0 0.0.0.255access-list 101 permit ip 10.45.4.0 0.0.0.255 anyaccess-list 102 deny ip host 10.45.4.2 10.45.1.0 0.0.0.255access-list 102 permit ip host 10.45.4.2 anyroute-map SDM_RMAP_1 permit 1 match ip address 101!route-map SDM_RMAP_2 permit 1 match ip address 102!!control-plane!bridge 1 protocol ieeebridge 1 route ip
I'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. [code] What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.
View 1 Replies View RelatedIt's been a while since I've done a lot with a PIX config so what is the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389.
View 12 Replies View RelatedWe have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
View 3 Replies View RelatedIs there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
I need to configure a Cisco 887va router for a customer with a firewall that doesn't support PPPoA. I basically need to ensure all traffic that is recieved from the internet (ADSL connection) is NAT'd to a LAN interface so the firewall can do the specific NATing. I have the following route map and NAT rule in mind, but what I am confused about is that if the atm0 interface needs to be configured as the outside interface and vlan2 as the inside interface. How will the following work?
View 0 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
So I am trying to get traffic from 192.168.1.33 on UDP ports 10000-20000 and port 5222 (udp) to have DSCP set to EF and Forwarded accordingly.
Building configuration...
Current configuration : 32481 bytes!! Last configuration change at 22:52:11 UTC Mon Jul 30 2012!version 12.2no mls acl tcam share-globalmls netflow interfacemls qosmls cef error action freezevty-async!!spanning-tree mode pvstdiagnostic bootup level completeaccess-list 99 permit 192.168.1.51access-list 99 permit 192.168.1.9access-list 99 permit 192.168.1.8access-list 99 permit 192.168.1.12access-list 111 permit udp any any range 10000 20000access-list 111 permit udp any any range 1 9999access-list 111 permit tcp any anyaccess-list 111 permit udp any any range 20001 49151access-list 111 permit udp any any range 50000 65535access-list 150 permit udp any any eq 5060!redundancymain-cpu auto-sync running-configmode sso!ip access-list extended Modesto_Officeremark Wireless Linkpermit tcp any any establishedpermit icmp any anypermit udp host 65.214.162.12 host 99.24.26.84 eq tftppermit ip host 65.214.162.24 host
[code]....
Does the ESW 520 24P Support Mirroring 20 Ports Traffic to 1 Destination Port?
View 3 Replies View RelatedAt present we are having a 4900 series switch where we are running one monitor session.Additionaly we are in need of capturing VLAN traffic and set the destination to 2 * GE ports , both are in the same switch.Due to the limitation of two monitor sessions per switch , we thought of putting the destination ports as port channel but it looks like it is not supported.
View 1 Replies View RelatedI've been digging into some performance issues on a LAN that has a couple of 2960s. The monitoring software I'm using has indicated a high amount of discarded outbound packets (up to 5%). The suggested resolutions were to enable flow control.
My question is does enabling flow control on all ports interrupt network traffic at all? this is a production network so I had already planned on doing it during off hours but also wanted to know if I should be prepared for any significant drop in traffic.
i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?
View 3 Replies View RelatedI posted my complaint on Amazon.com recently. My E4200 router stopped allowing traffic through ports completely. I was able to unplug the power and allow the router to cool, and the router would work for a while then stop after about 10 minutes. I assume that the unit was overheating, but I do not have the equipment of a test facility.I bought a Belkin AC 1200 router which is a bit of an upgrade from Amazon.com. I do not think that there is anything that Linksys can do for me as my warranty expired. I just thought that when I spent what was to me a lot of money the router should have lasted longer.
View 5 Replies View RelatedI've been looking into IGMP snooping and have read that a L2 switch will forward multicast traffic to all ports connected to an interested receiver AND all mrouter ports. In a L2 'V' topology this results in all multicast traffic routed onto a VLAN being forwarded to the 2nd distribution switch. My question is how should a 6500 Sup720 deal with this unwanted multicast traffic? Both a Local SPAN of the RP and a Netdr capture suggest that this traffic is punted to the RP and ultimately dropped. Is this expected behavior or should the traffic be dropped in H/W?
View 2 Replies View RelatedI have a PC attached to a standard 192.168.1.1 router with port forwarding turned on. The PC has an IP of 192.168.1.10 and I have Port 3389 (RDP) on the router forwarded to that PC's internal IP.
I currently have a DynDNS hostname, example.dyndns.org, and I type that into MSTSC (remote desktop) whenever I'm traveling.
But, is there a better way of doing this? The IP of the PC is not static, but it rarely changes. I do have a domain registered with GoDaddy and have full access to DNS records.
So from a security standpoint... PPTP through Windows RRAS then RDP to the server?,Open port 3389 to the server and rdp direct? would think that having a VPN out front would block people from attempting a connection, but if the VPN username and RDP username are the same, I feel like its about the same.
View 7 Replies View RelatedI have a current issue with my 2008 R2 machine.I cannot get Remote Desktop to work. Client machine is Windows 7 Ultimate, windows firewall on the Server machine is disabled, Telnet to port 3389 works (as in, it doesn't error out it gives me a blank screen), the account I'm trying to login to is the only account on the machine (Administrator). Remote Desktop service is installed and set to allow connections on the less secure mode.
View 19 Replies View RelatedAt one of our client premises they have an Cisco 1841 router. We need to connect from outside (other location in another country) with Remote Desktop connection port 3389 to an internal IP address ( a server).From any IP address it have to permit a connection on port 3389 to be forwarded to the server.
View 2 Replies View RelatedI have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server. Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
Below is my show run of a Cisco 800 router (Two VLAN's, single WAN) that works fine. Problem is that in this senario port 3389 is open for everyone. Only two remote users are allowed to connect trough port 3389. Let's say WAN IP's : 22.33.44.55 and 66.77.88.99. How would a good access-rule look like to fix it?
no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryptionservice sequence-numbers!hostname cisco-867!boot-start-markerboot-end-marker!logging buffered 51200logging console criticalenable secret 5 ***!no aaa new-modelmemory-size iomem 10clock timezone GMT 1clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59!!no ip source-route!!ip dhcp excluded-address 192.168.10.200 192.168.10.254!ip dhcp pool Vlan2 network 192.168.10.0 255.255.255.0 domain-name dsl.local default-router 192.168.10.254 dns-server 213.144.235.1 213.144.235.2 lease 0 8!!ip cefno ip bootp serverno ip domain lookup!!!archive log config
[Code]....
We have setup new ip camera system and as per our vendor to access the camera from outside we need to open,TCP ports and in firewall and forward to our camera server.
Let say our public ip address is 207.114.111.22 and our local ip address for the camera is 11.11.1.30. We have cisco asa 5510.
RDP (port 3389) is not working on D-Link network - is there a setting in the d-link to allow this?
View 4 Replies View Related