Cisco Firewall :: Inside Hosts Cannot Connect To Internet Through ASA 5510

Dec 4, 2011

I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
 
[code]...

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 - Should SSH Sessions From Inside To DMZ Hosts Survive

May 22, 2011

This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
 
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
 
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
 
The setup is:
 
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
 
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
 
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
 
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database

[code]....
 
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."

View 2 Replies View Related

Cisco Firewall :: Cannot Ping To Inside Hosts From ASA-8.2

Jun 8, 2013

I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
 
Here is the running config
 
Prem-ASA(config)# sh run
: Saved
:

[Code].....

View 7 Replies View Related

Cisco Firewall :: ASA 8.4 NAT On Outside And Inside For Certain External Hosts?

Nov 21, 2012

ASA is running 8.4.
 
Internal interface: 172.16.1.1
External interface: 172.16.2.1
 
Routing to 192.168.0.0 via internal host.I've got some static NATs, e.g:
 
object network obj-192.168.0.1
nat (inside,outside) static obj-172.16.2.1
 object network obj-192.168.0.3
nat (inside,outside) static obj-172.16.2.2
 
 I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
 
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
 
But it's source remains unchanged.What am I missing?

View 3 Replies View Related

Cisco VPN :: ISR 891 - Unable To Connect To Inside Hosts

Sep 27, 2011

I am able to  connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. [code]

View 2 Replies View Related

Cisco Firewall :: ASA5505 - Inside Hosts Limit

Feb 18, 2012

The ASA5505 I am working with has this from the show version:
 
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs                       : 3, DMZ Restricted Inside Hosts                : 10Failover                    : Disabled VPN -DES                     : EnabledVPN-3DES-AES                : Enabled VPN Peers                   : 10WebVPN Peers                : 2Dual ISPs                   : Disabled VLAN Trunk Ports            : 0
This platform has a Base license.
 
Does the Insides Hosts  :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505? 

View 9 Replies View Related

Cisco Firewall :: Upgrade Inside Hosts From 10 To Unlimited On ASA5505 BUN K9

Aug 17, 2011

I want to  upgrade  "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy  Security Plus license ( L-ASA5505-SEC-PL =)  ) before activating ASA5505-SW-10-UL ?

View 3 Replies View Related

Cisco Firewall :: ASA5505 - Outlook Access For Inside Hosts

Apr 25, 2011

I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to  browse all internet sites like gmail and yahoo mail.
 
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
 
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 8.4(1) - Map Multiple Inside Hosts Ports To One Public IP?

Jun 22, 2011

I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:

host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
 
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - Increase Inside Hosts License Count?

Feb 14, 2012

At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
 
Result of the command: "show activation-key"
  
Serial Number:  xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  
Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10       
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 10       
WebVPN Peers                : 2        
Dual ISPs                   : Disabled 
VLAN Trunk Ports            : 0        
  
This platform has a Base license. 
 
The flash activation key is the SAME as the running key.

View 2 Replies View Related

Cisco VPN :: Few PCs Inside Hosts Frequently Loosing Internet ASA 8.2?

Jun 7, 2013

One of our company guys always complaining that few inside PC's are frequently loosing internet and reconnecting after some times.The Connectivity is as mentioned below:
 
Inside: Switch -> Router -> ASA -> Router -> Modem ->Internet ------------VPN-------------------------

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Connect From Inside To Web Server On DMZ With Public IP

Sep 11, 2012

I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - No Internet Connection On Inside Interface

Jan 3, 2012

so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
 
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
 
Code...

View 10 Replies View Related

Cisco Firewall :: 5510 - Get Internet Connectivity On ASA Inside Interfaces?

Dec 30, 2012

I have a Cisco ASA 5510 with 3 inside interfaces each connected to a 3750X switch port in a vlan. Outside interface is connected to external router with 209.155.x.x public IP. Static route exists for outbound traffic on outside interface.
 
3750X is configured for inter-vlan routing. VLANs 10, 20, and 30 have 172.16.x.1 IP address with static routes pointing to the each of the ASA inside interfaces - 172.16.x.254. Connected hosts are configured with gateways pointing to the appropriate vlan interface IP - 172.16.x.1.
 
Inter-vlan routing appears to be working - I can ping back and forth between hosts on different vlans, and I can ping each vlan IP.I can also ping each ASA inside interface from a host in the appropriate vlan, but I cannot ping internet sites (4.2.2.2 or 8.8.8.8) from hosts on the inside interfaces.
 
I can ping 4.2.2.2 from the ASA CLI. I can ping internal hosts on vlans 10,20,30 from the ASA CLI. But, no luck with pinging from inside host to internet hosts

View 12 Replies View Related

Cisco Firewall :: ASA 5510 - Accessing Hosts Over VPN?

Oct 31, 2012

I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.

View 1 Replies View Related

Cisco Firewall :: 5510 - Hosts Loosing IP Address

Dec 10, 2012

I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
 
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
 
Information:
     Lease length: 172800
     address pool: 134 addresses
     hosts: around 45 + mobile units 45

View 3 Replies View Related

Cisco Firewall :: Statically PAT Multiple Internal Hosts To One External Host 5510

Feb 20, 2012

I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 / Blocking / Shunning Hosts With Service Policy Rules?

Dec 20, 2012

I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
 
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing? 

View 2 Replies View Related

Cisco WAN :: ASA 8.4 Can't Ping External Hosts From Inside

Jun 9, 2011

DNS resolution works and I can surf the web without fail.  But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts.  I can ping anything from the ASA without fail.

ASA Version 8.4(1)
!
hostname fw1-nat-ann
domain-name inmd.infoblox.com
enable password anWLNen9CTFp7B/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

View 1 Replies View Related

Cisco VPN :: ASA 8.4 Cannot Reach VPN Clients From Inside Hosts

Jun 18, 2012

I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]

View 8 Replies View Related

Cisco Firewall :: DMZ To Inside On ASA 5510

May 9, 2011

I have deployed a read only domain controller in our DMZ as part of a domain-related project.  That machine needs to be able to reach domain controllers on our internal network.  To do so, it should traverse our ASA 5510, going from the DMZ Interface (security level set to 60) to the Inside Interface (security level set to 99).
 
I've created an ACL as following (alerting hostnames in the example):
 
access-list dmz_access_in extended permit ip host dmz.rodc.domain.local object-group int-domain-controllers
 
I've read in various spots that you have to create a NAT when traversing security levels, going from a less trusted interface (DMZ) to a more trusted one (internal.)  Since this link will carry domain traffic, we do not want to create a real translation.  Thus, I created a stand-in NAT that points to its own IP as follows:
 
static (dmz,inside) dmz.rodc.domain.local dmz.rodc.domain.local netmask 255.255.255.255
 
Long story short, the connection fails.  I'm able to access other hosts in the DMZ and on another interface configured with the same security level (which I've explicitly allowed), but trying to go from the less-trusted DMZ to the more-trusted internal fails.

View 12 Replies View Related

Cisco :: Allow Inside Hosts To Access A Specific Network?

Feb 10, 2011

I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Inside To Dmz Communication

Mar 5, 2011

configure ASA 5510 as below
 
inside users should communicate with Hosts on the DMZ Zone and at the same time they should go for internet towards outside interface
 
ASA with 8.3(1)
default security levels
 
attached is the digram for your reference need communicate form inside to DMZ

View 1 Replies View Related

Cisco Firewall :: 5510 Allow Traffic Inside To Outside

Nov 18, 2011

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
 
-Host IP on inside network  - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl

View 5 Replies View Related

Cisco Firewall :: Allow Outside Access To Inside Device Using ASA 5510?

Apr 22, 2013

I have a mail archiver (hardware device) in my network that I need to access to from the Ipad/iphone. There is an app for it but I have to allow the access on the ASA. I created an 'object' for the device and added a Static NAT entry for it, then added an access rule. Its not working so I am guessing I did it wrong. The device uses port 8000 which I also added to the object. correct commands, or using the ASDM works too.

View 1 Replies View Related

Cisco Firewall :: Can't Ping ASA 5510 Inside Interface

Apr 13, 2013

I  ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]

View 5 Replies View Related

Cisco Firewall :: ASA 5510 With Inside Interface And DMZ Not Working

Feb 5, 2012

i have here a ASA 5510 sec k9.
 
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
 
But my Config doesn't work. And I have no Plan why .....
 
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
 
ciscoasa(config)# exit 
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)

[Code].....

View 2 Replies View Related

Cisco Firewall :: Communication Between 2 Inside Interfaces On ASA 5510

Oct 23, 2011

I have a Cisco ASA 5510 configured to access the internet, with an:

inside interface (ethernet 0/1) 130.130.0.254 and outside interface (ethernet 0/0) x.x.x.x
 
I have now configured another inside interface (ethernet0/2) on ASA with the IP 172.16.0.254 and I have connected it directly to another switch with a management IP 172.16.0.5.
 
The problem is that the two inside interfaces (130.130.0.254 &172.16.0.254) cannot communicate with each other thus the e0/2 172.16.0.254 interface cannot access the internet.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 - VPN Termination On Inside Network

Apr 17, 2011

I am setting up a new ASA 5510 on our inside network so that we can terminate our VPN connections on this ASA. I can get the VPN to work fine however I noticed that once I turned on my VPN profiles now when I try to access the ASDM I'm getting the VPN logon page. So I decided that in order to resolve this I need a separate interface dedicated to management of my ASA.
 
I'm trying to come up with the best way to do this. I've got two ports on the ASA plugged into my core switch. One is on a separate VLAN from the rest of my network traffic. This is the port I want to use for management. The second will be used to route all of my VPN traffic.
 
So far I haven't been able to get this to work at all. My thought was that it had to do with routes, NAT and ACLs. I've been playing with them but can't get any combination to work.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / HTTP Connection Inside Lan

Jun 8, 2011

I am configuring a new ASA 5510 to replace a SonicWall and I have a problem with an HTTP Connection inside my LAN.PC from the LAN ( using ASA LAN interface as gateway) can't Connect to a Camera video Web Server (192.168.4.20) on Port 80 whereas I can Ping it.
 
ADSM logs show :

106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security appliance Connection table.
 
- I Enabled command "same-security-traffic permit intra-interface"

- HTTP inspection is disabled.
 
I used Capture feature on the Ingress Interface, I joined the Logs and a part of my ASA Running Config.

View 3 Replies View Related

Cisco Firewall :: Cannot Ssh Or Ping ASA 5510 From Inside Interface

Apr 4, 2012

The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config. 
 
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names

[code]....

View 4 Replies View Related

Cisco Firewall :: ASA 5510 Inside Access To NAT IP On Outside Interface

Jun 28, 2012

we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is 199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface access the NAT'd IP which is assigned to the server
 
LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server).This is an ASA 5510 with 8.4.                  

View 10 Replies View Related

Cisco Firewall :: Unable To Access Inside Resources From Outside On ASA 5510

May 19, 2011

I have recently deployed a Cisco ASA 5510 Security plus firewall on my companies network, but there is a problem that I am finding hard to get by and I think it is ASA related.
 
From (inside we are not able to hit any of our sites that are on the (outside).  I have nat policies in place to translate the public to private, but I think I that I need some thing more.  This seems to be occuring mainly with our external web sites as well as another animoly with regards to FTP (but it may be fixed if the http issue is resolved.)
 
I was hoping some with a lot more knowledge on ASA firewalls than my self can spot the error in my run-cfgs.
 
[code]....

View 15 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved