I just completed a relocation of my core dtaa center network, whic included numerous vitualized servers, plus Cisco 3750 switches and ASA. The addressing did not change as this was internal to our overall network. After the move however some websites are not available. My first thought was a double NAT, but this does not seem to be the case.
View 1 Repliesim trying to move the config from an 3750 to 3750 PoE but without using the PoE options.I have allready download the config with tftp and upload it to the 3750 PoE. Now the new config is stored on the PoE switch but some of the old setting are still there. Not sure why, i think the config only overwrite the settings which are in the conf file and the setting which are not in the conf file but enabled on it will stay on the switch.After the upload of the config file I deleted all the config I do not need by hand.They are some settings i can't delete and I don't know why, this are the sittings:
1. each fastethernet port has this option: "no cdp enabled" this entry was no availble on the old switch, is the any possiblity to remove this entry?
2. the same for "no mls qos rewrite ip dscp"
3 and for this one "vlan internal allocation policy ascending"
I'm upgrading ASA firewalls from a 5510 (running 8.2.2 code) to a 5515-X (running 8.6.1 code). What is the best way to move the existing config to the new firewall? Can I simply copy it?
View 2 Replies View RelatedI'm trying to move some configurations over to an ASA5510 and some of the commands are a bit different than I'm used to (worked on old pix before)
I've configured the following on the device:
Outside interface: 65.66.64.34/28
DMZ : 65.66.64.49/28
Inside : 10.2.3.3/26
===========================
The current firewall has the below configured on it (old Juniper)
10.2.3.0/24 gateway 10.2.3.15 **10.2.3.15 is the IP for 3750 switch on the inside LAN**
10.0.0.0/24 gateway 10.2.3.4 **10.12.175.4 internal vpn- will remove later but thats a different discussion**
0 0 gateway 65.66.64.33 **to internet
10.0.1.0 gateway 10.2.3.2 **10.2.3.2 represents mpls traffic
[code]...
The current set up for this network has an mpls router and a vpn concentrator as part of the network my aim currently is to replace the juniper with an asa5510 the changing of the vpn tunnels will be for a different time:
work station ===> switch (3750) DG to =====> MPLS (vendor owned and managed) ====> non mpls traffic ====> vpn concentrator ===>firewall ===> router
The above will need acls to go with the routes, which I should manage ok just want to make sure the routing is configured properly
I am currently using g0/3 for failover between my two ASA5520's. I would like to move that to the management interface to free up g0/3 for a second DMZ segment. are there any implications to doing this live other than i would only have a single ASA during the move?
View 1 Replies View RelatedI can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the outside interface
View 1 Replies View RelatedAs I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
We will be moving to a new data center in the very near future and with them our WAN IP addresses will be changing. Any best course of action for changing the IP addresses throughout the firewall configuration? Would it be possible/suggested to export the running-config, make the neccessary changes, then import the config? I am familiar with the ASA 5510 only so far as changes are required. It is not something I work with on a regular basis.
View 5 Replies View RelatedI have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
View 4 Replies View RelatedI got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
I have a PIX 501 with 6.2 FW. The firewall inside network is connected to a Windows server (Mailserver). I can get access to most websites on all clients as well as on the server. However, there are some particular websites, such as facebook.com that the server and all but one client cannot access. I get a "cannot display the webpage" in internet explorer.
I have disabled the Windows firewall and AV. I have also scanned for any malware and no malware was found.
I found on the forums a "fixup protocol dns" solution, but my PIX version does not support it.
Below is my config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
[Code]......
How to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Any example configs?
View 3 Replies View RelatedHow to block the websites on Fortigate 50B firewall.
View 1 Replies View RelatedNow, i want to block some websites in cisco asa 5510 and in want to block key word like "sex", "game",..how can i config it?
View 3 Replies View RelatedHas ASA5510-K8 as firewall, has access rules setup for restricted PCs: [code] permitOn those PCs, users can only browse the websites that are in favorites, but some of them are working, some are not.Test on unrestricted PC, websites that can’t be accessed from public PCs can be access on regular PCs , either by address or IP.Checked GPO setting, don’t see anything wrong there.
View 4 Replies View RelatedI am having an issue where I cannot access certain files on websites. It looks as though the files are accessed via ftp. Could my router be blocking it. I have a Cisco 2801 router acting as a firewall.
View 13 Replies View RelatedI have a problem with PIX 506E that meets the version 6.1, and in an simple computer network equipment seems to behave in strange ways because some web sites do not open or very open slow thereby its operation impracticable. On the other hand other web sites open normally.
Querying the web site of the Cisco, I found several documents discussing the same problem but in a later version ( 7.0 ), not in this version 6.1.
I've tried removing the pix from the network , not the error occurred, again insert pix however tested only with a machine, without the rest of the network and the problem persists
I'm using DIR 600 for home use. Recently, I noticed that I have trouble connecting to some websites (Twitpic.com, 4shared.com) which I never had any problems before I used the wireless router. It doesn't exactly block the websites but rather it won't load completely (i.e., with Twitpic, I can load the site but not the images; for 4shared I really can't load the page itself).Initially, I had problems updating JDownloader after installation. I tried using our old Edimax wired router, and the JDownloader update worked flawlessly. I also tried loading Twitpic while connected via LAN, and it also worked properly.I'm assuming the problem lies with the wireless router but when I set it up for use I only tinkered with the WPA/WPA2 security for a password-secured wifi connection at home, and nothing more since I can't understand the other features.
View 5 Replies View RelatedI just installed a Cisco ASA 5505 in my company's network,however the network became so slow and many websites cannot be opened or it takes toolong to open (yahoo, hotmail etc.) resulting to a request time out sometimes.
Here is my configuration:
ASA Version 8.2(1) !hostname xxxxxxenable password xxxxxx encryptedpasswd xxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address
[Code].....
We have a Cisco ASA 5520 and Web sense. I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete".
Filter I applied on the firewall:
filter url except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
filter https except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
I have an configuration of ASA 5510:
ASA5510# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ASA5510
domain-name lohoi.local
[Code]..
When i configure to block websites it's ok, but websites unblock to access very slowly, sometime i can't access. My company has 50 users, all most them can't access unblock sites. How can i configure it better?
I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. [code]
View 6 Replies View RelatedI have a Cisco ASA 5505 in my home office which has a few PCs behind it with a linux web server running some websites. I can access the websites from outside no problem (i.e. on my iPhone using a 3G connection). However, I struggle to access the websites from within the network. The ASA gives me this error: [code]
View 3 Replies View Relatedi have cisco asa 5510 as firewall, i was trying to block some site using the link provided below
[URL]
and its working fine, but the problem i am having, when i go to download attachment from hotmail its not downloading, from gmail and other mails its
I found an interesting manual at this forum for blocking websites whits local content filtering. After I've modified the variables to get more details, I stopped at on question. My current Problem is "zone-pair.
zone security Z-SECRUTIY-SOURCE
zone security Z-SECRUTIY-DESTINATION
zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION
service-policy type inspect CM-INSPECT-TRAFFIC
[code]...
How can we host 300+ secure (https) websites using a couple of public IP's on an ASA5520 with AIP SSM-20 and with as few certificates as possible?
Summary of set-up:
We currently host a number of websites using an ASA5520 and use host headers, so have 6 servers with around 40 hosted URL's. The number of websites is due to double very soon and we will need to use more of our public IP's. We can see that we will will run out of public IP's very soon especially as there is a project in the pipeline that has a likely requirement to host an additional 200+ websites.
Each of these websites are required to use https and therefore each must have a certificate which will be very expensive. PCI DSS (payment card industry data security standard) is causing us issues because we had hoped to post the certificates on the firewall (one for each physical server) and then run the data UN-encrypted from the firewall to the relevant web servers, so that we could use one certificate for lots of websites and therefore reduce our certificate costs, however is not best practice to do this due to the data being unencrypted within the firewall and on the DMZ network and therefore potentially open to compromise. I doubt that we could install 200+ certificates on a 5520 and then re-encrypt the data to the web servers especially seeing as we also have an IPS card that is already running at around 70-80% util due to the performance overhead.
BTW - We also have an in-line Breach WAF which will be required to inspect the packets (certificates to be installed on the WAF to allow this).
I am new to firewalls and I am trying to make mine block specific websites but so far have had no success. Here are the settings I am using in the router's admin area:
Security > Firewall > General
Active firewall
Security > Firewall > Rules
[Code].....
My company has a peer to peer network of 10 personal computers without a server. Operating systems from Windows XP to Vista. I've recently installed a Cisco RV120W Wireless-N VPN Firewall. It's configured in DHCP Server Mode with printers/copiers that have static IPs below the DHCP range.
I'm having a problem with certain stations being used for personal networking, shopping, etc. during business hours. Consequently I would like to limit internet access on these stations. However, some internet access is required because of online database software that's an integral part of our business. I've been reading in the Administration Guide about URL Blocking. Would it be possible to give static IPs to certain stations and then limit their internet access to 1 or 2 specific websites?
FYI, I've read about the Trusted Domains and Blocked Keywords but cannot quite understand how to parley this into the solution I need.
Want to transfer email and email folders to a disk. I have Windows Vista on my computer and I use Comcast for an internet server.
View 2 Replies View RelatedIf i want to send a packet from one host to another host through a router, how will the packet be sent? I mean what are the stages that a packet can reach to the destination.
View 6 Replies View RelatedHow can I move the screen to the right because it is missing me a part so how can I do it?
View 1 Replies View RelatedCan I move my lynksys router to a new compuer and keep all the settings and MAC addresses that are set up or do I have to reset it and start all over again? I'm also installing a new modem.
View 2 Replies View RelatedI have two ssid's on my 1130ag each with different security when I use wep I can get my email on my droid. When i connect to the second ssid and use wpk I can get to the in the Internet but my email will not move in Exchange.
View 3 Replies View Related