Cisco Firewall :: Mapping Servers Behind An ASA5505?

Nov 12, 2012

I have the following configuration: An ASA5505 with Security bundle license sits at the perimeter with a single public IP address assigned to VLAN2 (outside) out of a /29 block. I have two servers with static IP addresses of 10.70.21.6 and 10.70.21.7 connected to the inside ports with default gateway of 10.70.21.1 (which is the IP address for the VLAN1 inside). I have already configured a default static route and NATing (PAT) so we have internet connection for the PCs. Now I need to configure the ASA to allow remote desktop connection to the servers (with static IP addresses above). Can I use a spare public IP address for each server and if so, whats the syntax? or is there another method? I have used this before but I had a Cisco 2811 router on the perimeter so the syntax was at then: ip nat inside source static 10.30.1.248 81.85.199.44

View 6 Replies


ADVERTISEMENT

Cisco Firewall :: Putting Servers Behind ASA5505?

Jan 25, 2012

I am in the process of adding a lot of servers to sit behind our new ASA 5505 (8.4) firewall. At the moment I have added 2 servers and they are both NAT'ed to 2 different public IPs.
 
Server 1     192.168.10.1 -> 80.*.*.1
Server 2     192.168.10.111 -> 80.*.*.6
 
The first server can only be RDP'ed in to using its public IP which is what I want it to do. The second one has most of the service ports open like 443, 80, 110, 25 and etc. However when I try and browse externally to [URL]. I get an " Error 107(net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error." in Google Chrome or any other browser. and the ASA reports:11:27:30192.168.10.111262680.*.*.6443Inbound TCP connection denied from 192.168.10.111/2626 to 80.*.*.6/443 flags SYN  on interface inside and I also get a Land to Land attack detected from 80.*.*.6 to 80.*.*.6
 
Is it worth setting up a DMZ or can I get away with the setup I have?

View 2 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
 
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
 
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
 
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
 
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
 
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Servers :: DNS Mapping Does Not Work On Computers?

Jun 25, 2012

I've been trying to map a specific domain name (say a.net) to a local (static) IP of a computer on that specific network, running Apache and used as a server.I did this by setting the Static DNS mapping configuration on my Dynalink RTA-1025W management panel.That works flewlessly on my iPhone and iPad, but does not work at all on any computer - desktop or laptop, Mac or PC, WiFi or LAN (tried a few desktop PCs, an iMac, a PC notebook and a MacBook Pro). On all of them, the browser is uncapable of resolving the DNS mapping, showing an error such us "Server Not Found".The only way I could override that behavior is modifying the hosts file, and that is not a solution for me, as the network is used by guest machines (say, as a public WiFi in an hotel).Is there a better approach for that?

View 16 Replies View Related

Cisco VPN :: ASA5505 Users Connect But Can't Access LAN Servers

Feb 16, 2012

I have a ASA5505 and setup SSL VPN. My users can connect to the VPN but can't get access to any of the internal servers.

View 3 Replies View Related

Cisco Firewall :: Port Mapping On ASA 5505?

Jun 6, 2011

how do you enabled multiple port mapping on asa 5505? i want to use 1 static ip address for rdp connection for 15 users, and the port will start from 3390 to 3340. 

View 4 Replies View Related

Cisco Firewall :: Mask DMZ Servers From Private Servers And LAN ASA 5520

Jun 11, 2013

We are planning to split the Private servers from the DMZ Servers and configure an additional Interface and segment for this purpose.
 
Private Servers Segment: 192.168.4.0/24 (there is no DHCP all servers' IPs are statically configured)
DMZ Segment: 192.168.3.0/24 (This is a future deployment)
LAN Segment: 172.17.0.0/16
 
Both, Private Servers and DMZ Servers are in a collocation as well as the ASA5520. There are multiple Branch offices that uses subnets within the 172.17.0.0/16 Network and they are connected to the ASA5520 via Metro-E.
 
I do not know if this is possible but what I want to do is this:
 
In order to avoid the change of internal DNS records I want to mask the DMZ servers with a Private Server IP when a Private server or LAN host wants to access it like this:
 
The FTP server in the DMZ has the IP address: 192.168.3.100. But when a PC from the LAN wants to reach the FTP server it should points to its old IP: 192.168.4.100. This way the PC sends a packet to the ftp.corporate.net (192.168.4.100) the ASA recieves the packet and translate it to the (192.168.3.100) and send it out through the DMZ Interface.
 
Also if the Private Servers wants to reach the same FTP the ASA will act like a proxy-ARP and send the paquet to the DMZ by means of the translation of the IP.

View 6 Replies View Related

Cisco Firewall :: 5520 - Static Mapping On ASA From IPv6 To IPv4

Dec 7, 2011

ASA 5520 running 8.2
 
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
 
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?

View 3 Replies View Related

Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet

Feb 24, 2011

I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below.

hostname Firewall

interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA5505 Lose Configuration If Upgrade Firewall

May 17, 2011

i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.

View 2 Replies View Related

Cisco Firewall :: ASA5505 Can't Ping New Firewall On Inside Interface

Jul 14, 2011

I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

View 32 Replies View Related

Cisco Firewall :: Unable To Ping Internet IPs From ASA5505 Firewall

Jan 9, 2013

Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2  -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
 
1.  Internet  is connected to Juniper Ge0/0/0  via /30 IP.
 
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to  Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.

From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
 
Issue:

1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
 
Troubleshooting Done so far.
 
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3.  Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **

View 2 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
 
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
 
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
 
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
  
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"

[Code].....

View 4 Replies View Related

Cisco Firewall :: 5505 PAT With Single Public IP And Several Servers Behind Firewall

Nov 21, 2012

New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
 
-Single static public IP:  16.2.3.4
-Need to PAT several ports to three separate servers behind firewall
-One server houses email, pptp server, ftp server and web services: 10.1.20.91
-One server houses drac management (port 445): 10.1.20.92
-One server is the IP phone server using a range of ports: 10.1.20.156
 
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]

View 11 Replies View Related

Cisco Firewall :: 6500 Cannot Ping The Servers Behind The Firewall

Feb 18, 2013

I have 2 modules of FWSM in 6500 switch (failover).I need 5 context.When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context),In transparent mode, it is not happening.what is the problem with routed mode?

View 1 Replies View Related

Cisco Firewall :: Using IP Aliases On ASA5505

Nov 29, 2011

Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs?  For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet.  At the moment I can use the one usable IP from the /30 to NAT to the private LAN.  The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also.  Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no?  In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config.  Does the ASA support aliases?  Maybe I have to do something with VLANs?

View 2 Replies View Related

Cisco Firewall :: Use 1 / 2 Gb Memory With ASA5505 Only 512 Mb

Jun 15, 2011

it is possible use 1 or 2 Gb memory with ASA 5505 or only 512 Mb ?

View 3 Replies View Related

Cisco Firewall :: Routing Using ASA5505 And Pix 501?

Jun 16, 2011

I have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks.   I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network.  I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.
 
So, here's the problem I am running into:My internal network is 10.10.16.0/16, I have a new domain controller with DHCP on it handing out addresses in the 10.10.16.0/24 range.External Network 1 is 192.168.16.0/24.  The services I need from that network are primarily in 192.168.0.0 range, however there is a comcast router 75.123.123.123 (Changed of course) that provides high speed internet I need for my www traffic.External Network 2 is 10.1.1.0/16  I have about 4 servers I need to access on this network and that's it.   This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of 10.1.3.180-10.1.3.189 My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing. 
 
So here's my issue:ASA5505 (IN:10.10.16.1, OUT: 192.168.16.6):  Passes traffic to External Network 1 and to the comcast router, no problem.   All my computers on my 10.10.16.0/16 network have access to everything on 192.168.0.0/24 as well as getting full name resolution and www traffic across the comcast router.  Can NOT access 10.1.1.0/16 no matter what.  From inside the ASA or from on the inside LAN ports.  It CAN ping the PIX 501  PIX 501 (IN:10.10.16.3, OUT: 10.1.3.180)  Can ping EVERYTHING.  Can ping 192.168.0.0/24, can ping 10.10.16.0/16 and can ping 10.1.1.0/16.    Set to globally assign the other IP's in my range as addresses for outgoing traffic.Workstations (IN: 10.10.16.XXX DHCP, using 10.10.16.1 as gateway)  Can only access everything on External Network 1.  ZERO access to External Network 2. ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going.  I will be tightening it up after it is operational.Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.

View 1 Replies View Related

Cisco Firewall :: Asa5505 Do We Need Ios Update

Mar 14, 2013

I just got an ASA 5505 with Cisco Adaptive Security Appliance Software Version 8.0(4) alredy loaded on it.  Should I update/upgrade it to the newest IOS release, or is the 8.0(4) good and stable?

View 3 Replies View Related

Cisco Firewall :: Setup DMZ Using ASA5505?

May 3, 2012

I'd like to setup a DMZ network with the ASA5505. Do I need the "Security Plus Bundle"?

View 1 Replies View Related

Cisco Firewall :: ASA5505 With WRVS4400N On COX?

Apr 25, 2012

I've been trying to get my WRVS4400N connected to my ASA5505 on the internet through a Cox connection, but it isn't working. I cannot get the ASA to be the DHCP server for the wireless router. I've configured the wireless router as a gateway and pointed the DHCP server to the ASA but no addresses are being passed through to the wireless router. I've included a copy of my config.

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA5505 With Multiple WAN IPs?

Jul 24, 2012

We are trying to utilize a 5 ip block of addresses provided by our ISP. What we have assigned from them is like this: 10.10.10.46 - 10.10.10.50 is our ip range. 10.10.10.45 is the gateway. Subnet is 255.255.255.248. If we assign 10.10.10.46 to the outside interface how do we accept inbound traffic from the other addresses?

View 6 Replies View Related

Cisco Firewall :: Can't Ping Or RDP ASA5505

Sep 4, 2012

I have Vlan 100 (inside) and Vlan 65 (Outside)I'm trying to configure RDP and ping traffic from Vlan 100 to Vlan 65 One way.If I connect 2 PCs on E0/0 and E0/1 they can happily ping the their own VLAN ip add 192.168.100.3 and 172.16.65.1I've copied my config,

ASA Version 8.4(4)1
!
names
!
object-group network A_Network
network-object 172.16.65.0 255.255.255.0

[code]....

View 9 Replies View Related

Cisco Firewall :: Configure Dmz On ASA5505

Dec 20, 2011

I have a asa 5505 Sec plus with 3vlan, inside, outside and dmz.
 
On the outside i have 5 ip's for my use, and in the dmz i have a webserver that need to communicate with one sql server on the inside.
 
The "sql" also needs to be accessible from outside and thus has a static nat with a dynamic nat so it replies from same ip as on nat ie 72.72.72.5 webserver is natted with 72.72.72.6
 
sql inside ip is 192.168.1.2, gw 192.168.1.1
webserver ip is 192.168.2.100 gw 192.168.2.1 
sec lvl on inside is 100 and on dmz 50
 
with a dynamic policy  running inside-net/24 to dmz-network/24 translagt to dmz 192.168.2.2 i can get it to ping 1 way from inside to dmz, but not the other way around...
 
All i need is to open 1 port  ie 6677 both ways for this communication to work.
 
I'm not very familiar with the CLI and do most stuf in GUI  (know i should learn CLI, but time doesnt let me)...

on access rules i have just added everything from any to any using , ip, icmp, tcp and udp just to be sure...  :-)

View 47 Replies View Related

Cisco Firewall :: DNS Redirect On ASA5505?

Feb 29, 2012

I want to make it so if a user tries to use a different DNS server the request will be redirected to the one they should be using.I thought this might work but the ASA doesn't do PB routing
 
ip access-list extended transparent_dns
permit udp any any eq 53
route-map redirect_dns permit 10
match ip address transparent_dns
set ip next-hop ip.of.your.server
route-map redirect_dns permit 20

[code]....
 
The DNS server is windows 2003?Would policy based NAT or WCCP work for this? If so how would I go about it?

View 1 Replies View Related

Cisco Firewall :: ASA5505 As LAN Router?

Nov 22, 2011

I would like to use an ASA5505 as a simple LAN-to-LAN ethernet router.  My plan is to configure two interfaces with the same security level and then use the command that allows interfaces with the same security level to communicate with each other.  I can get this to work without having to setup and ACLs or NAT stuff.

View 5 Replies View Related

Cisco Firewall :: Use Dual ISP's With ASA5505?

Oct 1, 2010

for the purpose of a redundency, incase the primary ISP goes down the backup kicks in.Can this be done with the basic license (max 3 vlans) or you need to have the security plus license. (20 vlans) Currently not using the 3rd vlan (dmz)

View 5 Replies View Related

Cisco Firewall :: ASA5505 For Passive FTP?

Apr 18, 2012

setting up ASA to allow passive FTP connection! I can get the FTP client to connect but it does not pull the directories. I have opened 21 and range of 55536-55566. I had some trouble gettting the range opened and saved. Normally with other small business routers (GUI) I make sure those ports are forwarded and ftp works.
 
Is the ftp inspection killing connection or is it my config?
 
ASA Version 8.4(2)
!
hostname ciscoasa
enable password vRLm0eRL2O14iLM6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA5505 VPN Throughput

Jan 31, 2012

Do some have some realistic performance numbers for a ASA 5505 on a mixed setup with local internet breakout and site to site vpn ( and don't tell me 150 mbps 3des throughput on a 100 mbps ethernet) - what can be expected in a live environment where we f.ex feed it with a 100 mbps internet connection - with a site to site vpn with f.ex 20 office workers running office on a remote terminalserver and mixed local internet breakout.

View 2 Replies View Related

Cisco Firewall :: Trying To Get ASA5505 To Route

Nov 14, 2012

customer's WAN solution, instead of buying routers, purchasing department bought ASA's (don't even get me started!). So I have 5 ASA 5505's for the branch offices and one 5510 for the Head Office. I am trying to get them to behave like routers and pass the traffic across. I set up a lab with a 5505 and the 5510 using an ethernet cable for both Outside interfaces since the WAN links are going to be MetroEthernet Layer 2 anyway.
 
I tried static routes, dynamic routing, I followed examples from other persons who did it and it doesn't work. I attached the configs here to show I have the default routes, specific static routes pointing the traffic out, any any rules configured as well. I cannot ping from the internal lan of the 5505 to the internal lan of the 5510.

View 1 Replies View Related

Cisco Firewall :: ASA5505 Does Not Pass Traffic

Jan 25, 2013

I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]

View 6 Replies View Related

Cisco Firewall :: ASA5505 URL Filtering / Blocking?

Jul 7, 2012

I have ASA 5505 running 7.2.4, I want to prevent users accessing some web sites such as facebook , youtube and hotmail etc.

Which ASA 5505 IOS version should I use to block web access?
 
I don't want to isntall a dedicated filtering server ( websense etc) , I just want to block web sites statically on ASA 5505 via ASDM as I only have few sites to block.
 
know if ASA 5505 can do URL filtering, and what IOS is required ?

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Can NAT May Be Used For More Than 10 Users With License

Apr 20, 2012

I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity. Can i do NAT of more than 10 users with this license? What i understand is NO.

But as per Below explaination looks like, i can if i am not doing default routing? Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved