Cisco Firewall :: How To Configure ASA 8.2(4) Not To Drop Packets With IP Option 7 (record Route)
Oct 21, 2012
How to configure ASA not to drop packets with ip option 7 (record route)? According to the docs, ip inspect ip option will drop all ip option packets except 0,1,and 20 (EOOL, NOP, or RTRALT):
"If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether the ASA is configured to allow these options, the ASA will drop the packet. "
Also, policy-map type inspect ip-options treats only these 3.
View 1 Replies
ADVERTISEMENT
Apr 11, 2012
I put a QoS in a WS-C3560CG-8TC-S version 12.2(55)EX2. in our lab file upload or download speed much reduced and drop the packets with QoS everyting is fine without QoS
Here is the config: My question is why I speed reduced a lot and packets to be dropped with QoS.everything is fine WITHOUT QoS.
class-map match-any VoIP description Voice IP Phone RTPmatch access-group 157
class-map match-any WEB description Internal Web, SSL Web, DNS query, Pinnaclematch access-group 153
!
policy-map QOSMARK
class VoIP set dscp ef
class WEB set dscp cs3
[code]....
View 4 Replies
View Related
Mar 31, 2012
I've got a 1760 router which uses port forwarding (25, 80 and 443) for my internal network services. If, let's say, I try to open a FTP connection on the router, of course the connection will be refused. Is there a way to make the router DROP the packets instead of rejecting them? My Linux iptables configurations drop packets who fail the firewall test, so I would like the router to perform that behavior.Commands for port forwarding:ip nat inside source static tcp 10.10.0.1 80 int f0/0 80 (these work fine)
View 4 Replies
View Related
Jan 20, 2012
My operations manager says "Could you go on-site and configure a new clients new internet connection?" I make the arrangements and go on-site. As I'm working with the providers tech he says "Do you have a sub-interface confgured for a dot1q VLAN id of 1057?", I say "What?". Anyway my firewall is not capable of dot1q VLAN, so he says "Do you have a Cisco router that can provide the trunking?", I say "Yes, I tink so but not with me". The question is can I use an SR520 between my firewall and the provider demarc to route the VLAN he is talking about? My initial discovery says yes but I am not quite sure of the details on how to achieve this on the SR520.
View 2 Replies
View Related
Mar 21, 2011
I am trying to finish a project and i now have a very un-natural networking question, but i figure that this is the correct place to ask it.
Tools:
Routing Device = Router.
Test App = Creates and Sends Packets through my machine's NIC via NDIS Driver.
WAN = Internet.
VPN = Connected over WAN.
I am trying to route/forward/nat promiscuous packets "TO" the Internet to finish my project. The packets are not addressed to my routing device, but it must take them and forward them on to a VPN connected over the WAN. The packets are actually created by my NDIS test app. This means that the packets will be generated on my local LAN, but will not contain the MAC or IP of the routing device. So they will only enter my routing device while it is running in a promiscuous mode.. how would you try to route promiscuous packets out to the internet?
View 6 Replies
View Related
May 3, 2012
Is it possible to configure DHCP option 150 on the RV220? I have a Cisco 7940 IP phone that is trying to connect back to my office. The VPN is up and I can ping the relevant server but I can't see any way to configure the DHCP option.
View 5 Replies
View Related
Jun 19, 2012
I have a RV042 VPN Router with the latest firmware v4.2.1.02.This Router is connected to the main site by a VPN Tunnel.
Now, I like to configure some DHCP Option so I can put a IP Phone behind the RV042. The IP Phone should receive a IP by DHCP from the RV042 and of course, the IP of the Call Manager with the Option 150.
I can configure DHCP and it works fine but I can't find where I have or can configure Option 150.
View 3 Replies
View Related
Jun 24, 2011
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
View 1 Replies
View Related
Dec 6, 2010
I'm trying to configure QoS on my 877 router to give priority to voice packets. However, when I do a show policy-map for WAN interface, all the classes show 0 bps. When I do a show int for the WAN interface, I get the correct bandwidth util.
This 877 is meant for a home network. I'm running a Cisco 7970 phone using phone-proxy back to my HQ. I'm also shaping the traffic.
Here is my config
Class Map match-any EF (id 1)
Match ip precedence 5
Class Map match-any class-default (id 0)
Match any
View 5 Replies
View Related
May 25, 2011
I will be using a cgr2010 and want to use the zone firewall option. Can i configure sub interfaces on the same main interface to be in different zones
View 1 Replies
View Related
Nov 10, 2011
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
View 28 Replies
View Related
May 2, 2012
Working as a consultant I find it annoying I cannot see a drop-down list in the AnyConnect client as you can with the traditional IPSEC VPN client with multiple profiles. How to modify the default profile to list multiple entries?
View 5 Replies
View Related
Jul 19, 2012
Is there any option available in any of the Cisco ASA55xx series model to install both csc-ssm and aip-ssm ips modules ? If, so is it advisable to install both ? Is the throughput of ips module has any dependency with the asa chassis throughput ?
View 1 Replies
View Related
Jan 19, 2013
configuring policy based route for my cisco router?Basically, I have a 2811 cisco router with 2 ADSL ports. 1 port is for iiNet line and another port is for Telstra line.I want to configure a policy based route on the router so that:Any traffic coming from 1 internal IP (i.e. 172.16.x.1) will go through iinet line (i.e. Dialer 0) interface.Any traffic from rest of the office will go through the Telstra line (i.e. Dialer 1) interface. Is there any easy way to configure this policy based route?
View 8 Replies
View Related
Jun 21, 2012
configuring a working route between two subnets (172.28.0.0/16 and 192.168.0.0/24) on a Cisco Catalyst 2960-S.
Problem: The subnet 172.28.0.0/16 is on VLAN 40 and the clients on this subnet have to access a preconfigured device with an ip in 192.168.0.0/24 subnet. The configuration of this device cannot be changed.
I have an Cisco 2960-S Lan Base (c2960s-universalk9-tar.150-1.SE3) switch [URL] that I would like to use to solve this problem.
View 17 Replies
View Related
May 14, 2011
I got an issue when configure my 12416 router.
I plan to configure Static route load-balancing, which just assign different administraive distance to static routes.The route with lower distance is preferred. For example, if ISP A is our primary Internet provider the default route may be configured with a distance of 1 (all static routes are assigned this administrative distance) and the default route through ISP B may be configured with a distance of 100. In that case the default route through ISP B will be used if only the route through ISP A becomes unavailable.
But when I trying to configureWith Enhanced Object Tracking to do the route failover (a generic track object can monitor presence of an ip route, state of an SLA), I found my IOS not support such Track command. [code]
View 2 Replies
View Related
Aug 4, 2009
Basically I have an internet router (1841ISR) with 1 internal (LAN) connection and 2 internet connections. What I want to do is route specific traffic for 3 of my internally hosted services (smtp, https, etc) through one internet connection (fa0/0) and then route all other traffic through the unmanaged/dynamic IP ADSL connection (Dialer 0).
View 9 Replies
View Related
Jul 13, 2012
I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve: [code] I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.
View 6 Replies
View Related
May 8, 2012
My web server was down for the day now it's back on but the ASA not accessible with error drop rate-1 exceed
View 3 Replies
View Related
Jan 10, 2012
I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
[Code]...
View 7 Replies
View Related
Dec 19, 2012
Outside users with certain public ip addresses are not able to access our website. Below is a log from our ASA 5550 8.2(5) on one of the clients that's being dropped. Packet trace result shows that the outside public addresses are allowed. We do have a TAC case open.
View 1 Replies
View Related
Dec 12, 2012
I want to disable the telnet option/feature on ASA 5510
i tried no telnet alone it wont work as i didnt configured any telnet at all.
View 1 Replies
View Related
Jun 17, 2012
Any example of how to configure an sm-es2-16-p service module to route over an Cisco 2911?
View 2 Replies
View Related
Jul 24, 2012
how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other. Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls).
View 5 Replies
View Related
Dec 4, 2011
I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
View 2 Replies
View Related
Sep 4, 2012
I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.
View 1 Replies
View Related
Nov 22, 2011
I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
View 1 Replies
View Related
Mar 1, 2012
In order to feed my netgear dgn1000 adsl modem/router with a rca roadrunner modem with ethernet single jack do I enable NAT or not on Netgear router and do I use router as DHCP or not?
View 2 Replies
View Related
Apr 30, 2013
I am having an issue where the ASA is dropping packets on the vlan interfaces. I have it as a dedicated router/firewall for a 100mb connection .
Vlan1 is the internal networkVlan2 is the network to cable modem
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full Duplex at each end, this is the inside interface. Eth 0/0 is the connection to the cable modem, this is the outside interface, set at auto at both ends.
Im getting on the vlans eg. 51253 packets dropped however network traffic isnt impacted and everything runs fine, as well as 46532 switch ingress policy drops.
Example;
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588
[Code]......
View 1 Replies
View Related
Feb 28, 2012
We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB. We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:
ASA01-Internet# sh asp drop
Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 1 Reverse-path verify failed (rpf-violated) 319 Flow is denied by configured rule (acl-drop) 477077 First TCP packet not SYN (tcp-not-syn) 10212 TCP data send after FIN (tcp-data-past-fin) 41 TCP failed 3 way handshake (tcp-3whs-failed) 824 TCP RST/FIN out of order (tcp-rstfin-ooo) 1419 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6 TCP SYNACK on established conn (tcp-synack-ooo) 1 TCP packet SEQ past window (tcp-seq-past-win) 821 TCP invalid ACK
[code]....
View 9 Replies
View Related
Jun 10, 2012
We have a wifi network for guests, that we route to internet through an old PIX515 Firewall. We recently tuned the timers to lower values in order to "save" on resources and publix address usage.
The timers we use are:
-timeout xlate 0:30:00
-timeout conn 0:30:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
Through verifying the new timers, we noticed at some xlate connections (TCP PAT) that are idle for ever!!In the connection table, I cannot find an idle connection for longer than 1h....
View 1 Replies
View Related
Sep 26, 2012
I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes. A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?
View 4 Replies
View Related
Aug 21, 2012
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
