Cisco Firewall :: Log Shows Wrong Source / Destination ASA 8.3
May 25, 2011
The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
View 3 Replies
ADVERTISEMENT
Apr 16, 2012
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54
2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address
3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
View 1 Replies
View Related
Apr 22, 2013
Is it possible to NAT source & destination addresses (twice nat) on an ASA5520 running 7.2(5)?
View 4 Replies
View Related
Jul 24, 2011
I have a situation which requires some non best practice stuff to be done. There is a box behind an ASA that has a lot of code that references public DNS names and therefore needs access to itself and a number of other boxes on the same subnet via the public DNS names (that obviously resolve to public IPs). This traffic is dropped on some pretty fundamental ASA characteristics.I know this isn't really ideal, and it should be handled by DNS nstead, but I'm in somewhat of a bind and need to know if the ASA can allow this traffic.I figure I could match the traffic and exempt it from state-checking and that would probably work, but it's not a very graceful solution.
View 2 Replies
View Related
Dec 2, 2012
I want to know if there is way to tag traffic with DCSP tags without having to do all the other requirments of QOS setup. All i want to do is just tag traffic at different DCSP values via source and destination IPs. We do not have a need to be priortizing traffic on out internal switches. We just want to tag the traffic so our MPLS provider can distinguish the different types of traffic.
Our environments is primarily 3750s in all offices.
View 6 Replies
View Related
Jul 30, 2012
I have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
View 1 Replies
View Related
Nov 5, 2012
i would like to monitor traffic between multiple source ports to multiple destination ports on a nexus 7k. i lknow when you set up monitor session is between source and destination (laptop or traffic analyser) but is there a way i can set up between source and multiple destination ports and capture that traffic ?
View 3 Replies
View Related
May 19, 2013
Basically I am trying to use Wireshark to do a packet capture on a Nexus 5010. I want to do a monitor session on on the switch so I can capture from a source port to a destination port on the same switch. I can configure the source port but when I go to configure the destination port I get "ERROR: Eth102/1/4: Configuration not allowed on fex interface". I have tried to reconfigure this port as a switchport but "switchport mode access" command does not take. I don't want to make any changes to any other ports but this one.
View 1 Replies
View Related
Aug 9, 2012
I'm trying to get ERSPAN working with an ERSPAN source on a Nexus 5548 and the ERSPAN destination on a Catalyst 6500.
The configuration on the Nexus is as follows:
[...]
interface loopback0
ip address 192.168.2.133/32
[Code].....
If I do a netdr capture I can see ERSPAN traffic sourced from the Nexus reaching the C6500, but there doesn't appear to be anything sent out the ERSPAN destination inerface (Gi4/6) and there's nothing being received by the probe connected to that interface. I know the traffic seen with netdr is definitely the ERSPAN traffic sourced from the Nexus as I've changed the TTL and DSCP values within the monitor session on the Nexus and can see those changes reflected on the C6500 netdr capture. The attached is a screen grab of the show netdr capture started with debug netdr capture soure-ip-address 192.168.2.133.
When I look at the interface I see it shown as up/down (monitoring), but no output or counters clocking up. If I run a local SPAN session on the C6500 it works fine.
I've tried changing the destination IP address from that assigned to the C6500 Loopback interface to an IP address assigned to a physical interface, but that still doens't work.
The hardware in the C6500 is WS-SUP720-BASE Hw version 3.2 with WS-F6K-PFC3B Hw version 2.4. The IOS version is 12.2(33)SXI6.
View 2 Replies
View Related
Feb 20, 2012
We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX facing our servers. Additionally, we have a 4Gbps portchannel trunk interconnecting the switches. We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success. We mirrored the VLAN using tx, rx, and both. When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?
View 2 Replies
View Related
Nov 29, 2012
when I hover my mouse over my signal bars it says I am connected to a network named 'home-9C78' but when I click to bring up my list of available networks, it says I am connected to a network named 'Reshiram' Reshiram is the name of my network and there is NO 'home-9C78' ANYWHERE in the list!!! I don't know where my computer gets this home-9C78!!! and I NEVER ever connected to a network with that name!!! it is supposed to be 'Reshiram
View 2 Replies
View Related
Oct 15, 2012
I Have asa 5520 with the code 8.0, the mem shows 94% and the CPU shows 85%
View 5 Replies
View Related
Jun 11, 2013
I need configure destination NAT in my ASA 8.2 version only for a specific origin.
Today, the network 10.84.25.0/24 access the web server with IP 172.17.3.150, i need Nat the IP 172.17.3.150 to 10.96.202.10 only for
10.84.25.0/24 network.
How i can configure this in 8.2 version?
View 2 Replies
View Related
Sep 7, 2012
Can I configure two IPsec tunnel in a ASA5525X, when the destination is same.
View 1 Replies
View Related
Sep 21, 2011
Is it possible to assign a static route to an interface and not globally on a ASA 5510 ver 8.3.
I have two links between my offices one for Data via a VPN and one for video traffic which is a secure connection with QOS end to end.
All interfaces are on the same security level of 100 except Outside which is 0.
Office 1 Interfaces ASA 5510
VLAN 1 vOffice1Data 10.40.1.0/24
VLAN 3 vOffice1Video 10.40.2.0/24
VLAN 5 vInterOffice 10.40.5.0/24 (QOS connection Between Offices)
[Code]....
At the moment if I try and access data from VLAN 1 to VLAN 4 it gets to the destination ok going through the static route and over the vInterOffice connection but the problem is VLAN 4 returning the traffic. This fails because there is no static route back to VLAN 1. If I create a static route from Office 2 to VLAN 1 then it will route all my data traffic over it as well.
View 2 Replies
View Related
Sep 25, 2012
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
View 3 Replies
View Related
Oct 29, 2012
Does ASA 8.4.3 check the source IP address of a DNS reply and drop it if the reply address is different to that in the query?
Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.
Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.
View 1 Replies
View Related
Feb 22, 2013
I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall. The traffic flow will be Partner A company users will be accessing my company's Citrix server. I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server. The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25. So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements. I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form. What I do need is NAT portion of the configuration.
{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's}
10.100.12.103 68.108.244.25
My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:
global (inside) 9 interface
nat (outside) 9 access-list PartnerA_source_nat
access-list extended PartnerA_source_nat permit host 68.108.244.25 host 10.100.12.103
View 3 Replies
View Related
Dec 5, 2012
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
View 2 Replies
View Related
Jul 1, 2012
I am running a Cisco ASA 5550 in active/standby mode. We are currently running ASA OS v8.2(3)5. I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface. Does the ASA have a feature/ACL syntax that supports this?
View 2 Replies
View Related
Mar 21, 2011
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
View 1 Replies
View Related
Jul 4, 2012
I have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
nat (any,outside) dynamic interface. (5.5.5.5)
object network H-192.168.25.10
nat (inside,outside) static H-6.6.6.6X(code)
View 1 Replies
View Related
Apr 8, 2011
when u use the debug cryoto isakmp 127 on the asa 5510, in order to troubleshhot remote access vpn users,to which entry r u looking in the debug to see if the user enter wrong password?
View 1 Replies
View Related
Nov 24, 2011
I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).
View 7 Replies
View Related
Apr 17, 2012
We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?
View 11 Replies
View Related
Jan 10, 2012
I've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22
Inside Interface IP: 10.104.36.4 Mask:255.255.255.0
DMZ IP: 10.100.20.1 Mask:255.255.255.0
SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable
logging list email-alerts message 106100
logging mail email-alerts
logging from-address ASA@xyz.com
logging recipient-address tgw@xyz.com level debugging
View 3 Replies
View Related
Jun 10, 2013
I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
View 2 Replies
View Related
May 10, 2012
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies
View Related
Jul 13, 2011
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Nov 22, 2011
I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
View 1 Replies
View Related
Jun 3, 2012
I have setup an asa 5505 with multiple sub nets (plus license) and a vpn tunnel (ipsec) between this and an other asa on a second branch office (multiple vlans) . Now I need to route only two vlans from the first site to reach some of the second branch networks
let's call them: 1 branch
A-172.16.4.0/24
B-172.16.2.0/24
2 branch
C- 10.10.10.0/24
D- 10.20.10.0/24
E- 10.66.10.0/24
the tunnelis ok From A to CDE . but from B to CDE won't come up. pinging is unsuccessful as well as all other traffic. the connection profile is setup to have both A and B as local networks and A and B by the moment share the same access rules configuration.
logs show firewall 1 let pass and build connections, without denies, but remote firewall does not receive a single packet from the source ip from network B.
View 2 Replies
View Related
Jul 10, 2011
I have decided build an open source firewall in linux environment. I have exactly one year to complete this project. The firewall will be a stateful packet filtering firewall working at network, transport and application layers. I would also be provided log analysis features. What I want to know is whether this is a good enough project or put in other words, is it a worthwhile project to undertake?
View 13 Replies
View Related