I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com
[code].....
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
My asa config just the interesting part:
crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec transform-set trans mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dyno 10 set transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400no crypto isakmp nat-traversal
[code]....
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....I tried many templates from the net but nothings works.
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
[Code]...
I would like to setup backup ISP in our ASA5510. Right now the the firewall has for default gateway following command:
"route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" i am changing this to route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ...so i can setup sla monitoring. As soon as i do the above command and remove the original "route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" from asa then internet connection drops. Right now asa interface Ethernet0/0 has main isp configured and configuring interface Ethernet0/3 as backup. interface Ethernet0/3 name if backup security-level 0 ip address 114.324.321.34 255.255.255.252 no shut global (backup) 1 interface.
route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ( Right now in firewall i have" route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 " ) route backup 0.0.0.0 0.0.0.0 115.283.212.23 20 track 2
track 1 rtr 1 reach ability
track 2 rtr 2 reach ability
sla monitor 1type echo protocol ipIcmpEcho 114.324.321.33 interface outside sla monitor schedule 1 life forever start-time now sla monitor 2type echo protocol ip Icmp Echo 115.283.212.23 interface backup sla monitor schedule 2 life forever start-time now. Also our firewall has site to site vpn and 1 main ip configured for exchange and remote access.
I have bought an RV180 Firewall/VPN and try to use the Backup Software Crashplan. As per the supplier it needs Port 443 and 4242 open. Port 443 is fine and allows me to use the service to backup to the Cloud. However when I want to allow other users to backup to my computer this traffic is blocked. I tried to open port 4242 on the firewall and forward the traffic to the computer that hosts the service but it does not work. I have tried to Telnet this port from the WAN but I don't get a response. When I check the Open Ports this port is not listed as a LISTEN port either.
View 1 Replies View Relatedow to backup Cisco ASA-5510 from a Linux server via TFTP?I do know how to backup a switch or a router. Basically creating an access list such as:
access-list 55 remark PERMIT hosts requesting TFTP access
access-list 55 permit host 172.16.0.27
and allowing access to
tftp-server nvram:startup-config 55
all this inside the router or the switch. From the Linux box just running a simple command such as:
tftp 172.16.0.3 -c get startup-config newbackup.conf
where 172.16.0.3 is the IP address of the switch and newbackup.conf is the name of the config file stored on the Linux machine.So, how do I do that with an ASA box? how to backup ASA from inside it.
I am running a ASA 5510 in multiple context mode. IOS 6.4(2), ASDM 6.4(5)106.
In older ios/asdm versions it was possible to backup the configuration using ASDM.
In 6.4(5)106 i am missing this feature (see attachment)
Is it possible to backup a multiple context firewall using ASDM and above mentioned software versions?
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other. Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls).
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
[code]....
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
nameif ethernet1 inside security100
nameif ethernet5 dmz8 security55
!
ip address inside 10.56.12.93 255.255.252.0
[Code]....
It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
So, my desktop, running windows 7, can no longer connect to the internet. It has no problem connecting to the router, but it will not receive packets. I double checked my connection using my laptop and it works with wireless and wired connections, so I know it's something with my desktop. I would really like to avoid doing a reinstall, I don't have anywhere to back my data up to.
View 5 Replies View RelatedI have been having problem with my internet lately. I live in UK and there is this game that I used to play that has a region IP block so I have to use Hotspot shield to play,but now my internet doesn't connect to Hotmail or this forum unless hotspot shield is turned on. How can I fix that? I tried config/flushdns but no luck. I am using window xp.
View 1 Replies View RelatedIt's a 64 bit machine, with windows 7. He fills out surveys and gets money from them, and I don't like to work on his machine because of this. But... He called, so I came over and Anyhow... I'm worried that the Ethernet has gone bad on the motherboard, but they bought a USB stick for wireless internet, and that didn't work either.I realize I have basically no worth while informationHis router works fine, if you plug in another computer it can connect to the internet, but his computer can't. Something is turned off as far as I can tell. And I can't figure out how to turn it on.
View 5 Replies View RelatedThe electric went off in my house about an hour ago, causing my computer to turn off as a result. Ever since, the internet on my PC has been acting up.
My internet was working perfectly before the power cut both on my laptop (my mum was using it at the time) and PC, however, while I've got no problems with the internet on the laptop, my PC keeps losing the connection to a ridiculous degree. It'll drop the connection for over a minute at a time, come back on literally long enough for me to refresh/load 1 webpage (~5 seconds), then go back off again for another minute or two.
All the lights on the router are on and I've even cross-referenced (lacking a better term...) the internet connection between my lap top and desk top and my laptop will work fine when my PC is telling me there's no connection and nothing will load on it. It seems to me that something has happened to my desktop when the power went out but I have no idea where to begin to even try to find out what's wrong.
I've tried turning off the router by both the wall and the little button on the back of it, and I've restarted my PC twice as well and still the internet doesn't work properly. My laptop picked up the connection as soon as the router came back on with no problem but my desktop struggled to find the connection and only picked it up after turning the router off twice aand restarting the computer twice as well and as I said, when it finally did find the connection it just keeps dropping it.
I've got an ASA 5510 running 8.4.I have a host on an inside interface, with a static NAT configured on the ASA. The inbound/return half of the NAT doesn't appear to be working. [code] I run a ping from the host (192.168.100.98) to something on the outside (1.2.3.4)Running captures, I can see the outbound ping leaving, having been NATed OK. I can see the reply coming back in to the outside interface with the correct IP address, but I never get the final NATed packet appear on the inside interface. The packet just disappears inside the ASA.
View 2 Replies View RelatedI have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
These are configuration lines:
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000
[Code]......
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
I've been having this DNS problem for 6 days or so. The internet doesn't work with cable nor Wi-Fi and I've tried almost everything, ping, configuring the DNS, IP, disabling everything, enabling everything, nslookup doesn't work, releasing and renewing doesn't work too, and to make things worst.(In the main computer, everything works just fine and the router settings appear to be correct too, my computer also works perfectly fine in other places with WLAN).
View 14 Replies View RelatedMy wireless is connected fine but the internet wont work.I have internet explorer and firefox and it doesnt work on either.
View 1 Replies View RelatedInternet doesn't work on my laptop. after getting some worms that prevented me to open any programs, i did a recover from previous back up. but since then my internet doesn't work (with or without cable). wirelessly: my laptop says im connected to the router, but it says that i have no connection to internet. sometimes it says that i m connected to internet but even so when i try to open my browsers (ieplorer or firefox), it just says "unable to connect"With wire: when i trie to connect via a cable directly to the modem, it does the same thing, it says iam connected to the modem but i have limited access, and the browsers say that it can't open internet.i am using windows 7, have a dell computer and a belkin N1 wireless router, and using cable.i tried to restore the winsock using the netsh command, i used winsockxpfix, i used lspfix, i deleted my norton virus program, i reset my router to default, i deleted my cache-cookie-history from the browser, i think my driver are up to date, i check my manager device (they all work), nothing worked.
when i type the command ipconfig, it gives me:
ipv4 adress: 192.168.2.2
subnet mask: 255.255.255.0
default gateway: 192.168.2.1
when i type the "ping yahoo.com" i get:
4 received, 4 sent, 0 lost
my computer works fine and i can go online. i use wire for my computer and try the same wire to my laptop but not working. i tries another cable throught the router but still nothing.
My router is connected from modem to router to pc.It is a Linksys WRT160N.When it is plugged in that way, my pc doesn't have internet access but when i plug it from modem to pc it works.
View 5 Replies View Relatedwhat´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ?
configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
my wireless internet does not work after I rebooted my laptop.I tried installing wireless internet but it failed.What do i do?
View 1 Replies View Relatedmy laptop internet doesnt work, devices dont exist(ethernet controller.network controller and pci simple communication controller) my pc is dell inspiron and windows 7
View 1 Replies View RelatedI start my pc i get 2 local area connections instead of 1 and because of this my internet does not work unless i disable and enable again the network .After enabling only 1 network shows and i can connect to internet.It may be because i replaced my motherboard even tho i uninstalled the drivers?
View 1 Replies View RelatedI just got my DIR 825. It had 2.02NA Firmware in it. It had a few options that I wanted to use but didn't work. So I thought I would update firmware. I follow the instruction from dlink to install firmware. So I loaded 2.03 and noticed internet connection not working. So then I loaded 2.05 part1 and part2. Still could get internet connection to work but the reason to upgrade the option I wanted worked. So then I loaded 2.06 and still same result. No internet connection. So then I loaded the original firmware back in and internet connection works. Why doesn't the internet work on the other firmware updates. I got the updates from dlink website. I would like to update firmware
View 9 Replies View RelatedI can't telnet from a host(Ubuntu 12.10) in our DMZ to an outside MX on port TCP 587. Inspection for ESMTP not enabled. Port 587 enabled for host in DMZ to any.
View 12 Replies View RelatedI am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
View 3 Replies View Related