Cisco Firewall :: Object Group Network Limit With Asa 5510

Oct 29, 2012

We have Cisco ASA 5510, I am about to add another 2 Objectgroup network  groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
 
Also are there any other things to keep in mind before i go-ahead with this huge object group?

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: 5520 - Object-group With Network-object Containing IP Address Range

Apr 7, 2013

Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
 
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D  Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
 
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.

View 5 Replies View Related

Cisco Firewall :: ASA 5510 / Ip Service Object And Service Group

May 16, 2011

When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
 
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq

[code]...

View 8 Replies View Related

Cisco Firewall :: Internet Access Through ASA 5540 For Specific Network Object Group

May 2, 2011

I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an  object group as a source
 
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?

View 5 Replies View Related

Cisco Security :: ASA 5510 Object-group And Range Option

Feb 6, 2013

I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements.  The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs:  object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8).  Is there something that I am missing to be able to enable the range option on the new ASA?

View 2 Replies View Related

Cisco Firewall :: 5510 - Create Network Object For IP To NAT Through? 

Jan 30, 2012

I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it.  I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
 
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists.  Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
 
Do I have to create an network object for each and every IP i want to nat through? 

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Object Groups / Creating New ACL

Jul 20, 2011

I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL.  Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP.  I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
 
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined?  I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL.  I really don't want to have to create new object groups if I don't have to.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Object-Groups Not Working

May 9, 2012

I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
 
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
 
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.URL

Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.

View 2 Replies View Related

Home Group Network Speed Limit?

Dec 29, 2012

Home group network speed limit?

View 1 Replies View Related

Cisco Switching/Routing :: Cat4500 With IOS-XE And Object Group ACLs

Feb 5, 2013

Any one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.

View 1 Replies View Related

Cisco Switching/Routing :: 2911 - How To Create Object-group With ACL

Jan 2, 2012

In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]

View 3 Replies View Related

Cisco Switching/Routing :: Object Group In C3560 & C3750 Switches?

Feb 16, 2011

I have two  layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?

View 7 Replies View Related

Cisco Switching/Routing :: 6500 - Acl Object Group With Wccp Redirect List

Dec 31, 2012

Can i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921

View 1 Replies View Related

Cisco Firewall :: ASA 8.4 Network Object NAT Ordering

Aug 19, 2012

There is something wrong with the ordering of our NAT-rules.We are running ASA Version 8.4(2)8 and the nat config is pasted below.
 
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
 
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us. [code]

View 7 Replies View Related

Cisco Firewall :: DNS Server Group On ASA 5510

Apr 5, 2011

I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.

View 3 Replies View Related

Cisco Firewall :: Command Authorization In ASA 8.4 For Object Network

Apr 28, 2012

I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:

privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Ver 8.2 Rate Limit

Jan 17, 2012

I'm trying to limit one of my inside hosts, since it's been a little of a hog. I have 3Mb available from my ISP via 2x T1. I'm testing this on a computer in a lab:
  
PC 10.10.10.10------Cisco2960-------- 10.10.10.1 Inside - ASA - Outside 208.66.x.1------------------------208.66.x.2-Cisco 2811-2xT1
  
Here's what I've tried so far, please see text in red:
 
***global (outside) 1 208.66.x.115
***nat (inside) 0 access-list No-Nat
***nat (inside) 1 0.0.0.0 0.0.0.0

[Code].....

It didn't work... I was able to max the bandwidth again. I also tried to apply service-policy to inside int, which didn't make a difference.

View 1 Replies View Related

Cisco Firewall :: 5510 No Translation Group Found Error

May 31, 2011

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
 
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a  No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?

Apr 8, 2011

can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any

View 3 Replies View Related

Cisco Firewall :: 5510 - No Translation Group Found For UDP Src Inside

Jan 10, 2013

I have seen many of these errors lately.  We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
 
[code]....

View 6 Replies View Related

Cisco Firewall :: ASDM 5.0.7 Creates Duplicate Network Object Groups

Aug 5, 2011

We are facing the problem in ASDM 5.x creates duplicate network object groups in the configuration when PIX with software 7.0.7 is used.
Audit report its showing below commands :
 
asdm group SALES_ref dmz2 reference SALES object-group network SALES_ref network-object 172.20.7.8 network-object 172.20.10.3 network-object 172.20.11.2
 
no access-list dmz2_access_in extended permit tcp object-group Network_10.10.1.0 object-group SALES object-group SALES_Ports access-list dmz2_access_in line 200 extended permit tcp object-group Network_10.10.1.0 object-group SALES_ref object-group SALES_Ports
 
i was created SALES object group 2 month back after that ASDM Automatically created the duplicate object with SALES_ref name and changed the old ACL.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Create Network Object For Range Of Hosts?

Oct 25, 2011

I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
 
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
 
Is there a way to do a similar thing on the ASA 5520?
 
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 How To Limit Icmp To Just Single Host

Nov 1, 2012

I am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 4.2.2.2 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco Firewall :: ASA5520 / How To Use Network Object NAT To Perform Regular Dynamic PAT And Identity NAT

Jun 19, 2011

this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.

for example, this is my configuration

**** first i configured Regular Dynamic PAT****
 
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface 
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****

[code]......

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Rate Limit The Internet Bandwidth / Speed?

Jul 29, 2012

In ASA 5510. How I can limit the users in (VLAN 20) to use the internet with a limited Bandwidth/speed with 3 mbps upload and 5 mbps download?
 
In case the outside interface (Native vlan) which is connected to the ISP and have a bandwidth/speed of 30 mbps upload and 50 mbps download.

View 4 Replies View Related

Cisco WAN :: 2800 - Limit Of T1s In Channel Group

Jun 22, 2011

I can't find the theoretical limit of T1s in a channel group on a 2800. I know that you can have 2 channel groups per V Wic 2, but it doesn't say how many T1s I can have bonded. I think it's 8, but I can't find it in writing anywhere.

View 3 Replies View Related

Cisco VPN :: How To Limit Maximum SSL VPN Sessions Per Group-policy On ASA5510

Nov 25, 2012

How to limit maximum SSL VPN sessions per group-policy on ASA5510?
 
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).

View 5 Replies View Related

Cisco Switching/Routing :: HSRP Group Limit In 4506E Switch?

Oct 31, 2012

I have two cisco 4506-E series switches ..
 
We are planning to go for HSRP redundancy for 32 VLANs. Means In a Cisco 4506-E switch , we will configure 32 vlans and among them 16 vlans will be primary and 16VLANs will be standby ans it is viceversa in another core-switch
 
My querie is How many standby groups can we create in Cisco 4506-E switch,
Is there any limitation..
 
If there is any limitation , can we go ahead with VRRP,GLBP? Are there any limitation in VRRP/GLBP? Is there any design related issue can we face if we use same group number to all VLANs?
 
Product details :
 
Model : Cisco 4506-E
Sup Model : WS-X45-SUP6L-E
IOS  : S45EIPBK9-12254SG

View 2 Replies View Related

Cisco Firewall :: ASA 8.4 DNS Names In Object-groups

Jun 8, 2011

Is it possible somehow to define externally administred DNS namese in ASA 8.4 in within object groups?i know that we can use name XXX, but some idea popped up using this kind of configuration.

View 3 Replies View Related

Cisco Firewall :: Object To Twice NAT Configuration ASA5505 8.4?

Dec 18, 2011

We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
 
static (inside,outside) outside_ip inside_ip netmask 255.255.255.255
static (inside,inside) outside_ip inside_ip netmask 255.255.255.255
 
In 8.4, if I use object nat, the hairpin functionality works perfectly,
 
object network obj-insideip
  nat (inside,inside) static publicip
 
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
 
nat (inside,inside) source static private_object public_object destination static public_object private_object
 
allows hairpinning to successully work from the same machine.  Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip.  Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Traffic From DMZ And WAN Forwarded To Object Production

Sep 26, 2011

i have an ASA 5520 8.4(1) with following config
 
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!

i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?

View 1 Replies View Related

Cisco Firewall :: 6509 - FWSM To ASASM Object Conversion

Nov 4, 2012

We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
 
On the FWSM I would see the following under Network Objects:
 
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
 
Network Object Group
+ JQ Group
      - JQ-Test
      - JQ-Test2
      - JQ-Test3
 
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
 
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
 
Network Object Group
+ JQ Group
     - 10.1.1.1
     - 10.2.2.2
     - 10.3.3.3
 
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
 
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved