Cisco Firewall :: Inside Hosts Cannot Connect To Internet Through ASA 5510
Dec 4, 2011
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.Find my config below to know what i ahave omitted or committed.
[code]...
View 5 Replies
ADVERTISEMENT
May 22, 2011
This is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
The setup is:
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
View 2 Replies
View Related
Jun 8, 2013
I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
Here is the running config
Prem-ASA(config)# sh run
: Saved
:
[Code].....
View 7 Replies
View Related
Nov 21, 2012
ASA is running 8.4.
Internal interface: 172.16.1.1
External interface: 172.16.2.1
Routing to 192.168.0.0 via internal host.I've got some static NATs, e.g:
object network obj-192.168.0.1
nat (inside,outside) static obj-172.16.2.1
object network obj-192.168.0.3
nat (inside,outside) static obj-172.16.2.2
I also want in internal NAT, but only for certain external hosts, so when they connect to any of the above, their source address is changed. I've attempted the following so an external host (172.16.2.254), has it's source changed to 172.16.1.100.
nat (outside,inside) source static obj-172.16.2.254 obj-172.16.1.100
But it's source remains unchanged.What am I missing?
View 3 Replies
View Related
Sep 27, 2011
I am able to connect to my Cisco ISR 891 via VPN with the Cisco VPN Client 5.0.07.0440, but once connected I cannot access hosts on the inside. If I ping a host on the inside by name, nothing resolves. If I ping by IP, I get a reply from the public IP of the router. [code]
View 2 Replies
View Related
Feb 18, 2012
The ASA5505 I am working with has this from the show version:
Licensed features for this platform:Maximum Physical Interfaces : 8VLANs : 3, DMZ Restricted Inside Hosts : 10Failover : Disabled VPN -DES : EnabledVPN-3DES-AES : Enabled VPN Peers : 10WebVPN Peers : 2Dual ISPs : Disabled VLAN Trunk Ports : 0
This platform has a Base license.
Does the Insides Hosts :10 line mean that only 10 devices can be connected to the firewall at one time? I would like to connect an AP to one of the PoE ports and have possibly more than 10 connected. Is this possible with this ASA5505?
View 9 Replies
View Related
Aug 17, 2011
I want to upgrade "inside hosts" from 10 to unlimited on a ASA5505-BUN-K9, Do I have to buy Security Plus license ( L-ASA5505-SEC-PL =) ) before activating ASA5505-SW-10-UL ?
View 3 Replies
View Related
Apr 25, 2011
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
View 2 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
Feb 14, 2012
At the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
View 2 Replies
View Related
Jun 7, 2013
One of our company guys always complaining that few inside PC's are frequently loosing internet and reconnecting after some times.The Connectivity is as mentioned below:
Inside: Switch -> Router -> ASA -> Router -> Modem ->Internet ------------VPN-------------------------
View 3 Replies
View Related
Sep 11, 2012
I hava ASA5510. INSIDE,DMZ and OUTSIDE interfaces are configured. I hava web server on DMZ ip:10.0.0.1 and it is static natted to 1.1.1.1. From internet i can reach to web server with IP:1.1.1.1 and from INSIDE connect to web server with IP:10.0.0.1. Now i want to connect from INSIDE to WEB server via public IP(1.1.1.1).how can configure it?
View 2 Replies
View Related
Jan 3, 2012
so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
Code...
View 10 Replies
View Related
Dec 30, 2012
I have a Cisco ASA 5510 with 3 inside interfaces each connected to a 3750X switch port in a vlan. Outside interface is connected to external router with 209.155.x.x public IP. Static route exists for outbound traffic on outside interface.
3750X is configured for inter-vlan routing. VLANs 10, 20, and 30 have 172.16.x.1 IP address with static routes pointing to the each of the ASA inside interfaces - 172.16.x.254. Connected hosts are configured with gateways pointing to the appropriate vlan interface IP - 172.16.x.1.
Inter-vlan routing appears to be working - I can ping back and forth between hosts on different vlans, and I can ping each vlan IP.I can also ping each ASA inside interface from a host in the appropriate vlan, but I cannot ping internet sites (4.2.2.2 or 8.8.8.8) from hosts on the inside interfaces.
I can ping 4.2.2.2 from the ASA CLI. I can ping internal hosts on vlans 10,20,30 from the ASA CLI. But, no luck with pinging from inside host to internet hosts
View 12 Replies
View Related
Oct 31, 2012
I've been attempting to fix this issue or confirm the issue is not with the firewall and I have kind of run into a road block. This is my problem as I understand it. A client of mine has a VPN tunnel built over a point to point connection of some kind (this client is fairly new to me) and is unable to access some hosts on the remote end of the VPN tunnel from the LAN side of the firewall. The LAN IPs are NAT'd as they leave the network from the HPH-Point-to-Point interface to the remote end. Just as a point of reference, the LAN IP of 129.200.11.19 is said to be working, however the range of 129.200.20.25 - .50 is not. I've tried packet-tracer but with the NAT happening over a VPN tunnel I am not sure if I am doing it correctly.
View 1 Replies
View Related
Dec 10, 2012
I have just started to use an ASA 5510 for my network. I use the DHCP server on it and after i made the change over to ASA hosts started loosing their IP address. This was not a problem before on my old firewall that aso had the roll of DHCP.
Is it possible that something is wrongly sett on the asa? All traffic is flowing normaly when this does not happen.
Information:
Lease length: 172800
address pool: 134 addresses
hosts: around 45 + mobile units 45
View 3 Replies
View Related
Feb 20, 2012
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies
View Related
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
View Related
Jun 9, 2011
DNS resolution works and I can surf the web without fail. But if I try to ping any external hosts (I can ping inside interface of ASA fine) from the LAN I get timeouts. I can ping anything from the ASA without fail.
ASA Version 8.4(1)
!
hostname fw1-nat-ann
domain-name inmd.infoblox.com
enable password anWLNen9CTFp7B/X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
View 1 Replies
View Related
Jun 18, 2012
I am able to reach VPN clients (Anyconnect) only from hosts directly connected to the ASA's inside interface subnet. However, hosts on other internal subnets (177.1.10.0 & 177.1.11.0) are unable to connect to clients on VPN. The ASA is running ver 8.4. [code]
View 8 Replies
View Related
May 9, 2011
I have deployed a read only domain controller in our DMZ as part of a domain-related project. That machine needs to be able to reach domain controllers on our internal network. To do so, it should traverse our ASA 5510, going from the DMZ Interface (security level set to 60) to the Inside Interface (security level set to 99).
I've created an ACL as following (alerting hostnames in the example):
access-list dmz_access_in extended permit ip host dmz.rodc.domain.local object-group int-domain-controllers
I've read in various spots that you have to create a NAT when traversing security levels, going from a less trusted interface (DMZ) to a more trusted one (internal.) Since this link will carry domain traffic, we do not want to create a real translation. Thus, I created a stand-in NAT that points to its own IP as follows:
static (dmz,inside) dmz.rodc.domain.local dmz.rodc.domain.local netmask 255.255.255.255
Long story short, the connection fails. I'm able to access other hosts in the DMZ and on another interface configured with the same security level (which I've explicitly allowed), but trying to go from the less-trusted DMZ to the more-trusted internal fails.
View 12 Replies
View Related
Feb 10, 2011
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
View 1 Replies
View Related
Mar 5, 2011
configure ASA 5510 as below
inside users should communicate with Hosts on the DMZ Zone and at the same time they should go for internet towards outside interface
ASA with 8.3(1)
default security levels
attached is the digram for your reference need communicate form inside to DMZ
View 1 Replies
View Related
Nov 18, 2011
One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
-Host IP on inside network - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl
View 5 Replies
View Related
Apr 22, 2013
I have a mail archiver (hardware device) in my network that I need to access to from the Ipad/iphone. There is an app for it but I have to allow the access on the ASA. I created an 'object' for the device and added a Static NAT entry for it, then added an access rule. Its not working so I am guessing I did it wrong. The device uses port 8000 which I also added to the object. correct commands, or using the ASDM works too.
View 1 Replies
View Related
Apr 13, 2013
I ran into a very strange icmp ping issue. The network has been working fine other than the issue listed below, L2L VPN works fine and all three data centers can access each other via L2L VPN.I have three ASA5510. [code]
View 5 Replies
View Related
Feb 5, 2012
i have here a ASA 5510 sec k9.
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
But my Config doesn't work. And I have no Plan why .....
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
ciscoasa(config)# exit
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)
[Code].....
View 2 Replies
View Related
Oct 23, 2011
I have a Cisco ASA 5510 configured to access the internet, with an:
inside interface (ethernet 0/1) 130.130.0.254 and outside interface (ethernet 0/0) x.x.x.x
I have now configured another inside interface (ethernet0/2) on ASA with the IP 172.16.0.254 and I have connected it directly to another switch with a management IP 172.16.0.5.
The problem is that the two inside interfaces (130.130.0.254 &172.16.0.254) cannot communicate with each other thus the e0/2 172.16.0.254 interface cannot access the internet.
View 5 Replies
View Related
Apr 17, 2011
I am setting up a new ASA 5510 on our inside network so that we can terminate our VPN connections on this ASA. I can get the VPN to work fine however I noticed that once I turned on my VPN profiles now when I try to access the ASDM I'm getting the VPN logon page. So I decided that in order to resolve this I need a separate interface dedicated to management of my ASA.
I'm trying to come up with the best way to do this. I've got two ports on the ASA plugged into my core switch. One is on a separate VLAN from the rest of my network traffic. This is the port I want to use for management. The second will be used to route all of my VPN traffic.
So far I haven't been able to get this to work at all. My thought was that it had to do with routes, NAT and ACLs. I've been playing with them but can't get any combination to work.
View 2 Replies
View Related
Jun 8, 2011
I am configuring a new ASA 5510 to replace a SonicWall and I have a problem with an HTTP Connection inside my LAN.PC from the LAN ( using ASA LAN interface as gateway) can't Connect to a Camera video Web Server (192.168.4.20) on Port 80 whereas I can Ping it.
ADSM logs show :
106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security appliance Connection table.
- I Enabled command "same-security-traffic permit intra-interface"
- HTTP inspection is disabled.
I used Capture feature on the Ingress Interface, I joined the Logs and a part of my ASA Running Config.
View 3 Replies
View Related
Apr 4, 2012
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
[code]....
View 4 Replies
View Related
Jun 28, 2012
we have a server that has an outside IP and an inside IP. It's inside ip is 192.168.222.30/24 and it's outside IP is 199.204.50.2/29. The connection to this server from the outside is perfectly fine, but access from inside users to the NAT'd IP which is 199.204.50.2/29 is having issues, however, access to the inside IP works fine (this part makes sense)Will It be a must to set the inside DNS A record to the inside IP and not the outside IP, or can users on the inside interface access the NAT'd IP which is assigned to the server
LAN(192.168.222.0/24)<=====>InsideASAOutside<=====>(Server with NAT IP 192.168.222.30/24, it's also physicall assigned to this server).This is an ASA 5510 with 8.4.
View 10 Replies
View Related
May 19, 2011
I have recently deployed a Cisco ASA 5510 Security plus firewall on my companies network, but there is a problem that I am finding hard to get by and I think it is ASA related.
From (inside we are not able to hit any of our sites that are on the (outside). I have nat policies in place to translate the public to private, but I think I that I need some thing more. This seems to be occuring mainly with our external web sites as well as another animoly with regards to FTP (but it may be fixed if the http issue is resolved.)
I was hoping some with a lot more knowledge on ASA firewalls than my self can spot the error in my run-cfgs.
[code]....
View 15 Replies
View Related