Trying a simple Easy VPN connection and getting the following in the error logs:
Built inbound UDP connection 684 for outside:xx.xx.xx.xx/1106 (xx.xx.xx.xx/1106) to identity:xx.xx.xx.xx/500 (xx.xx.xx.xx/500)
I configured an ASA 5505 a couple of weeks ago. Every thing is working properly except it sends irritating messages to the syslog server. Her is an example of the message:
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/252 flags PSH ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/2252 flags ACK on interface outside.
I have 2 cisco routers that resired on the same interface on Cisco ASA. For security reasons, on both of the routers I have configured default gateway to be ASA interface, then static route between them on the ASA, I get the following error when on station comming from first router trying to connect to another station behind secound router (again, on the same interface, maybe this is the issue?).
ASA-3-106001: Inbound TCP connection denied from flags SYN
There is access list allowing traffic between but hit count is 0
I have a client that has an ASA 5520 that has two internet connections, FIOS and Comcast. The ASA is configured to failover from the FIOS to the Comcast if the FIOS fails. This works perfectly fine. However, I was wondering if VPN and other inbound traffic will come into the secondary connection when it is active. I think VPN will work inbound when the FIOS connection fails, but I am not sure about the other inbound connections.
View 1 Replies View RelatedI am trying to setup an inbound NAT on an ASA5510 running 8.4 code.
object network obj-192.168.1.2
host 192.168.1.2 (internal web server)
object network NAT-external IP
host ** external IP **
object network NAT-external IP
nat (outside,inside) static 192.168.1.2 service tcp https https
access-list outside_access_in extended permit tcp any host 10.2.0.10 eq https
This seems to be setup now?
sh nat
2 (outside) to (inside) source static NAT-*.*.*.* 192.168.1.2 service tcp https https
translate_hits = 0, untranslate_hits = 0
sh access-l
access-list outside_access_in line 2 extended permit tcp any host 192.168.1.2 eq https (hitcnt=27) 0x59383a04
When I try to connect to the external IP using https I get hits on the access list, however the nat translate hits do not go up?Do I need to allow the 192.168.1.2 server back out again?
I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.
View 1 Replies View RelatedI have setup an ASA5505 running 8.2 with dual ISP's
Primary link is the current live static route out and the backup picks up if the primary fails. That all works great However I have an issue with inbound NAT rules
I have configured an inbound static on the primary which works great
static (inside,primary) *.*.*.* 10.1.1.1 netmask 255.255.255.255 access-list outside_access_in line 2 extended permit tcp any host *.*.*.* eq 3389 (hitcnt=4)
Question? With the primary link active and the default route pointing out through the primary, am I able to configure an inbound NAT to the same inside host 10.1.1.1
on the backup link?
If the primary fails users will need to be able to connect inbound to this service
When I try to set it up I got this error ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
So I tried that and got this error WARNING: All traffic destined to the IP address of the backup interface is being redirected. WARNING: Users will not be able to access any service enabled on the backup interface.
So what is the best practice for configuring inbound NAT for a dual ISP configured ASA
I have a 2621 router - old. but works well.Need to put in an ACL to limit the inbound SMTP traffic to be FROM a specific set of IP's, and deny all others.
I have tried various combinations with no luck. Something obvious, I am sure.
When I do a show access lists 160 it shows all SMTP traffic being snagged by the SMTP deny statement. All other traffic works correctly.
Here is my config so far...
Current configuration : 3093 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname xxxxxxxxxx!logging rate-limit console 10 except errorsenable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!ip subnet-
[Code] ....
I know I can use the RTR statement to determine when the primary ISP circuit goes down via this technote: url...My question can I assign static Nats on the backup ISP connection to the same inside servers in the dmz.?Example 10.1.1.11 is mapped to ISP1 ExternaIP of 65.217.77.11. Can it 10.1.1.11 also be mapped to ISP2's 208.217.77.11?This way I can get my DNS changed and my inbound traffic to servers in my DMZ on the asa 5510 running 8.0.3 code can continue to receive Inbound traffic.
View 1 Replies View RelatedI have ASA 5510 and public FTP server from my local network to external IP address, with static nat translation. All works, but I need request to ftp come from internal ASA interface (need use gateway different ASA). How configured ASA for forwarding request?
View 4 Replies View RelatedI have been asked to create an inbound connection on the ASA from the internet to a part of the network that is accessible over the Wide area network eg
-Internet address 94.175.x.100 goes to 151.5.3.100,
-The internal network is 10.42.15.0/22, and connects to the 151.5.3.0/24 network over a private MPLS.
Is this possible with the ASA5510 and if so can you give me a clue how to pass the traffic
I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration. [code]
View 14 Replies View RelatedLast night I switched out our old Cisco pix 515 with a asa 5505. The config is the same and internet and outgoing mail is working but no mail is coming in. Below is a copy of my config. Why my inbound mail is not coming in.
smtp 192.168.51.248 (Barracuda email filter)pop3 192.168.50.11 (exchange server). Tried to telnet into the firewall but connection timed out. Went to mxtool box and that also timed out while trying to connect to smtp. Port scan from mxtool box timed out too on all ports.
[Code] ........
how to set up port forwarding for inbound SSH?
The outside interface on the ASA is on DHCP. I have a single dynamic public IP from my ISP. The inside interface provides Internet access for the network using NAT.
I have a server on the internal network with an IP of 192.168.0.6 and I would like to access this via SSH (TCP port 22) from outside.
I've been able to do this in the past on a PIX with a static public IP block, but I'm new to ASA and I don't know how to do it with PAT.
Current running config attached for what it's worth, but it's pretty basic at the moment.
I'm running a Cisco ASA 5510 with version 7.2(3) and I've been tasked with permitting some inbound & outbound TCP & UDP ports to/from a specified address space on the internet.
In looking at my current ASA config I see other access lists already configured so I'm assuming I can just set up a new access list in similar fashion, but I wanted to verify here first.
So I recently purchased an E4200 to replace my aging and slightly ailing DLink DIR-655 which as served me well for going on 5 years. The part of the DLink that was giving me the issues was the wireless, the routing and switching worked fine however.
I do quite a lot of streaming of media from my home machine outside my network through the internet. Most recently I've been using Kalemsoft Media Streamer on my HP Touchpad, however I've used Zumocast, Windows Live, Splashtop, and a few others. I havent yet tried my PPTP VPN through the router for an extended period of time to see if it reflects this issue as well though.
Since replacing my 655 with the E4200 I've started experiencing a timeout issue. It seems to be semi-consistant and only happens after time of unuse or extended use (I havent timed it yet to see if it always happens after the same amount of time though).
Basically what occurs is this:
I'll be watching some video or listening to audio streaming from my machine and after a period of time (usually a long period of time) it'll suddenly lose connection, requiring me to re-connect through the software, like the NAT translation is timing out or something.
How it USED to work is this: It'd basically work until I stopped streaming.
My setup:
AT&T Uverse set to DMZPlus aiming towards my E4200 WAN port (sitting directly in place of the 655 I used to have)
All machines on the network are gigabit. I have ports 7000 and 7001 open for Kalemsoft Media Streamer on the E4200 per the specifications of the software.
The software understands UPnP so I have nothing specific forwarded on my machine, but I didnt previously either.
allow ports 18082 and 18086 inbound to one of my internal servers. how to create a static nat rule but I dont know how to only allow those two ports. I dont want to open the server to all ports. This is what I am doing via ASDM v6.1:
Configuration-NAT Rule-Add=Add Static NAT Rule
Original
Interface: inside
Source: my internal IP address
Translated
Interface: outside
Use IP Address: my available external IP address
Now under PAT I assume that's where I put the ports, so I place a checkbox on Enable and select TCP. Then I enter 18082 on both the Original and Translated Port boxes. I tried adding 18086 by entering 18082-18086 or with a comma as a separator but it doesnt allow it and spits an error saying that the format is incorrect.
click [OK]
Now is that how I add a single port to forward to my internal server? Do need to create another Static NAT Rule including the second port of 18086
I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly.
View 2 Replies View Related-I need to configure the following on my PIX:
TCP port 2195 - outbound
-TCP port 2196 - inbound
How would I configure this via ASDM?
I have upgraded an ASA 5505 to 9.0(1) as I would like to use ipv6 version of dhcprelay. That said, I am unable to obtain a global unicast address but the link-local address is able to communication with the ISP's gateway/DHCP provider which I hope will allow v6 dhcprelay provide internal clients with IP's from the ISP. Trouble is, unsolicated inbound ICMPv6 messages from the ISP's gateway are being dropped on the way into outside interface.
%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
[Code]...
Trying to allow inbound access from any host outside to my LAN server on port 995. [code]
View 1 Replies View RelatedI’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.
In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.
My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,
C:UsersSuthakarDocumentsOffice_DocsThakralABC Computers
Final config on ASA5505
host name Cisco
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
!interface Vlan1
nameif inside
security-level 100
ip address 192.168.155.201 255.255.255.0
[Code] ......
I have a weather station at our high school that needs UDP port 9500 open inbound/outbound to specified IP addresses.
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)57
Setup firewall rules that will block all inbound Internet access to the web server except port 443, Setup firewall rules that will block all communication between the two internal networks, except ports 7000 and 1702
View 1 Replies View RelatedI have two ISP, I want to divide Inbound to ISP1 and Outbound to ISP2.
View 3 Replies View RelatedI have been asked to open some ports in order for a CCTV company to connect to an internal CCTV server on our LAN.
We have a Pix running PIX Version 6.3(5) I am ok configuring an ASA for the above but not a Pix.
I have a remote office with a 1.54mb circuit connected to our private MPLS network. Our main office has a 20mb conneciton to said network. I want to set a QoS policy for traffic from the remote office to our Avaya subnet within the main office. This policy is to give priority to all traffic to the Avaya G350.
I have set up the outbound traffic policy on our remote office router using a policy map as follows:
access-list 101 permit ip any 192.168.0.0 0.0.255.255 (this represents the Avaya subnet)
class-map match-all voice_outbound
match access-group 101
policy-map voip_outbound
class voice_outbound
priority percent 50
interface Serial0/3/0
service-policy output voip_outbound
This works fine for outbound traffic. Now how do I give priority to inbound traffic from the 192.168.0.0 network? When I try to do similar command it says CBWFQ is only configurable as output, not input.
I'd just limit it at the far end, but that has a 20mb pipe. All other traffic from our corporate datacenter, as well as internet traffic, flows from the main office to the remote office. Should I just rate limit everything else destined for the remote office subnet, and if so, what's the best method?
I have an issue at my work where we are trying to added another computer to our network. We have 3 computers on XP (Included our server) and 7 on windows 7, 10 total.Now I've just tried adding the 11th PC and had no luck connecting to the server, but i do have internet access. I am aware Win7 allows 20 max connections, would we upgrade our server PC to Win7 and leave the other 2 computers on XP will I be able to add this 11th PC? Or do I have to upgrade all the remaining XP machines to win7 to get the result I'm looking for.
View 2 Replies View RelatedI'm a new user of VOIP. My network connect is Cable modem -> router (Dir 615) -> ATA (SPA122) . Outbound calls have no problem. But inbound calls sometimes work, sometimes not ( got message: not in service)
View 1 Replies View RelatedI am trying to block port scans originating in the Russian Federation, thousands per day. I entered 77.88.26.0 as the Remote IP Start and 77.88.26.255 as the Remote IP End, setting the action to Deny. It shows in the inbound filter rules list but my linux server still receives thousands of scans daily from an ip address in that IP netblock. My DIR-655 is running hardware version A3 and firmware 1.34NA.
View 8 Replies View RelatedI have the latest Firmware version 2.05NA on the DIR-825 and while I can make outbound SIP calls I can't receive any inbound calls. The phone will ring but I can't pick-up the call. [code] I am at a loss as to how to register my phone. When I uncheck ALG SIP the phone will not register to my server.I have a Polycom 550 connected to a Trixbox server. The prior router worked great.
View 6 Replies View RelatedI have two Cisco 7606 routers using BGP to connect our customers to the internet. Recently we added a new 1G circuit in addition to an existing 1G circuit and all traffic inbound is now on this new 1G circuit. We would like to shift some of the inbound traffic over to the other 7606. Our Tier provider has the same AS number for both paths. One path goes directly to New York and the other goes to Boston then New York.
View 1 Replies View Related