Cisco Firewall :: NAT ASA 9.0(2) / Cannot Access Original IP Using Another Port Or Ping From Host
Apr 10, 2013
Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.Example:SA 8.4: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).
ASA 9.0: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I cannot access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.
recently I had some malware on my Windows XP Professional (version 2002), so I followed a guide at Bleeping Computer [URL] to get rid of it. Problem is, for some reason, after I finished, I could no longer access the internet!When I try, FIrefox gives me their "could not connect" message: "Server not found. Firefox can't find the server at [site]." Check the address for typing errors such as ww.example.com instead of [URL]"When I try to log into MSN, the troubleshoot says I have a problem with my DNS and Key Ports.I'm not good with computers so I Google'd and found some ping-ing instructions. When I tried to ping [site], I get: "Ping request could not find host [site]. check the name and try again." This happens regardless of the site I use.Lastly, I tried "ping 127.0.0.1" from a troubleshooting site. It gives me: "Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
I have Cisco ASA 5505 installed and use as default gateway. I go to Internet through the ASA5505 Here is my Problem.I can not ping from ASA prompt(ASA#) to my Laptop connected to the ASA, but i can ping the ASA inside interface from laptop i can not use ASDM and the VPN Tunnel is not working between the sie
ASA# ping 10.10.10.12 ??????????? 100% lost Laptop c C:/ping 10.10.10.1 !!!!!!!!!!!!!!!!
Here is the Topology
INTERNET .<=========================>ASA<===============================> LAPTOP
I disabled window firewall on the Laptop , but no goof result.
I have ASA 5520. I cannot ping the host(192.168.1.20) which is inside firewall from outside hosts. Inside host (192.168.1.20) is translated into (198.24.210.226) using static NAT.From outside host, I used "PING 198.24.210.226". Is it because I used dynamic PAT for inside hosts?
When I tried to upgrading PIX525 6.3 to 7.0 , Not able to Ping the host from the PIX 525 Inside interface which is on the same subnet, Also from the host to Inside Interface , Tried with Directly connected laptop with Cross cable and using Straight cable via switch, But the results end with fail.
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
I got one request from one of the user to allow his ip to access one public using port www, this needs to be allowed in Cisco PIX, if the below command is correct for this.
Source host : 10.84.11.1 Destination IP : 203.126.112.131 Port : www
I set this up and I can ping all the gateways but never the hosts. I was hoping I could make these links between 6500's a mix of L2 and L3. Check it out. They are connected in a linear fashion R1--->R2--->R3. I can ping from R1 to R3's SVI4 gateway but I can never ping a host on that SVI4. I was hoping that I could use the port-channels between 6500's as routed links or as trunk links depending on the type of traffic....thought it would ease the migration. I suppose I could always get rid of the port-channels and just make separate L2 and L3 links between the 6500's.
I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80 -access-list block_port extended permit ip any any -access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside. I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
My DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well. Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any. This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.
i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
I recently purchased a used Cisco ASA 5505 and I accidentally (and very stupidly) erased the flash without backing up my license.I have generated a demo licence from the Cisco licencing site, so I have basic functionality. However, the email that I received informed me that there is a higher licence already stored for my device.My question is, is there a way to get that licence back if I can provide the serial number / any other identification to prove I now own the ASA?
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
I'm going through the CCNA training and I'm setting up my DHCP server on my 871 router. I have my cable modem into the WAN port on my router and have 1 host plugged directly into Fastethernet 1. I can ping any IP I want from the IOS prompt but I only have local access from the host. [code]
I test all devices using ping command, from ASA to router was fine (on both interface) but not to Host , and host to router was fine, but only on directly interface(F1/0), and to ASA was not success. am i miss something in my configuration?
configure my Cisco ASA5510 (asa version 8.3.1) so that one of the host (e.g.192.168.8.20) behind management interface can ping to the other host (e.g. 192.168.2.246) behind OUTSIDEinterface. I tried modifying the ACLs, NATs and ICMP statement, but still failed[CODE]
I have installed an Oracle DB (11.2) on a guest VM (Centos 5) and my host is Windows 7 Ultimate.I need to able to connect to the DB from windows.Ping status is as follows:
I have a cisco ASR 1002 I have plugged a host into an addressed port and the port comes up however the host cannot ping the router and the router cannot ping the host. Neither can router ping its self. I do the same on a cisco 2800 router and it works fine. What's goin on. Is it the fact that this is a ASR router ?
I'm using 3 AP's 1140 with local authentication using local radius (flex connect mode).the radius server im using is MS 2008 R2.authentication is working great on all devices pc's&mobile.authentication method is PEAP wpa2 aes enterprise.after 3 or 4 hours devices loose connectivity to the web.the device seems to be still connected to the ap but there is no ping to host from local lan or any arp learnd on local router.only manual disconnect on device and reconnecting brings connectivity up again.in one case only reseting the AP's worked.
I have a single cisco 11503 load balancer.There is a single Banner student information system which is load balanced on it with Virtual ip 10.3.20.101 which is working fine without any issues .I am now trying to add an Oracle ERP application with virtual IP 10.3.20.230 and physical ips 10.3.19.22 and 10.3.19.23 all on port 8003.When I just make the group ERP-Apps-Grp active , the vitual ip address 10.3.20.230 is pingable , but when I make the the content Erp_IAT active it stops pinging. [code]
When I try to ping ipv6.xsnews.nl on either of my Windows 7 computers, it returns "Ping request could not find host". But when I do it on XP, it succeeds. I have tried putting the W7 PC in the DMZ, disabling the software firewall but it doesn't work.
What I think it involves is having ipv6 installed on each. I tried to duplicate the setup of both the XP and a W7 computer, installing the gogo6 tunnel. But apparently it's not setup on this computer because the ping result is the same as on the third computer which hasn't had ipv6 installed. s not setup on this computer because the ping result is the same as on the third computer which hasn
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
From the router I can ping the 2nd router, all its host and all of the 1941w interfaces.
From the 1941w AP i cannot reach the 2nd router or any of its host, but I can reach the interface that is connected to the 2nd router but only one side of it.
Attached are both my router and ap configs. At the moment I am just trying to reach the 2nd router and its host so I can update the AP IOS image but cannot reach the tftp server.
I am in a test environment using an ASA 55005 and a Cisoc 2611xm router. ASA is running version 8.4 and router is running is ios12.4. My VPN tunnel comes up but I am unable to ping between remote hosts. I used the ASDM and SDM for the configuration. Attached is a copy of both configs.
ping 10.0.0.1 -t give me destination host unreachable in the same time when i wright ping 192.168.1.1 -t it give me the correct reply but the net doesnt work
