Cisco Firewall :: Object To Twice NAT Configuration ASA5505 8.4?
Dec 18, 2011
We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
static (inside,outside) outside_ip inside_ip netmask 255.255.255.255
static (inside,inside) outside_ip inside_ip netmask 255.255.255.255
In 8.4, if I use object nat, the hairpin functionality works perfectly,
object network obj-insideip
nat (inside,inside) static publicip
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
nat (inside,inside) source static private_object public_object destination static public_object private_object
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
View 1 Replies
ADVERTISEMENT
Apr 7, 2013
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
View 5 Replies
View Related
May 17, 2011
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies
View Related
Feb 20, 2011
I like to take log backup in ASA.. and i like to check whether any attack pattern is there?? how could i do this...?Also how could i do a best practise for this?
View 12 Replies
View Related
May 11, 2013
I am using a Cisco E4200 router today but I am moving to a ASA5505. I have a device that sets up a VPN tunnel that I want to put in my DMZ. It's called the ATT Gateway. I have attached the diagram. When I use a Cisco E4200 all I do is put the outside private ip address of 192.168.0.99 of the ATT Gateway into the DMZ of the E4200 and the VPN tunnel of the ATT Gateway comes right up. I cannot configure the DMZ to do the same with the ASA. I also need to have the laptop behind the gateway access the printers in the inside network.
View 15 Replies
View Related
Sep 28, 2011
I am trying to configure a trunk between the above two devices. I like to have vlan11 on ASA. Then I like to connect a host to my switch, and have it communicate with other devices in VLAN 11 or other vlans that reside on the ASA. Below is the config that I currently have.
ASA:
ciscoasa# show run interface Ethernet0/1
!
interface Ethernet0/1
[Code].....
View 5 Replies
View Related
May 27, 2013
so we have been using our current ASA5505 for a long time. Since it only support up to 10 VPN licenses, so we buy a new ASA5505-SEC-BUN-K9(support up to 25 users).
the old ASA are running: 8.0.3 and ASDM 6.0.3
the new ASA are running: 8.2.5 and ASDM 6.4.5
I thought it would be simple as export and import the config file, but when i tried to restore, the new one is looking for a zip file but the old one doesn;t backup file in ZIP. It looks like i need to update the ASA version or/and ASDM?
I am pretty new to this and never upgrade any of these versions since I am aware of the upgrade may mess things up. So do I need to upgrade both the ASA version and the ASDM in order to restore my config? any effect if i do the upgrade? I also read some articles, we need to upgrade on the version one by one, like 8.0 to 8.1 then 8.2?
View 4 Replies
View Related
Jan 9, 2012
I am wondering if it's possible to convert a Pix 501 configuration running version 6.3(5) to a new ASA5505 which we just purchased? We have site to site VPN on this device and i am just trying to save some time. I believe Cisco TAC might have a tool to do this but i am not sure.
View 4 Replies
View Related
Dec 26, 2011
I’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.
In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.
My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,
C:UsersSuthakarDocumentsOffice_DocsThakralABC Computers
Final config on ASA5505
host name Cisco
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
!interface Vlan1
nameif inside
security-level 100
ip address 192.168.155.201 255.255.255.0
[Code] ......
View 3 Replies
View Related
Jun 8, 2011
Is it possible somehow to define externally administred DNS namese in ASA 8.4 in within object groups?i know that we can use name XXX, but some idea popped up using this kind of configuration.
View 3 Replies
View Related
Aug 19, 2012
There is something wrong with the ordering of our NAT-rules.We are running ASA Version 8.4(2)8 and the nat config is pasted below.
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us. [code]
View 7 Replies
View Related
Jul 20, 2011
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
View 2 Replies
View Related
Jan 30, 2012
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
View 1 Replies
View Related
May 9, 2012
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.URL
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
View 2 Replies
View Related
Apr 28, 2012
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?
View 1 Replies
View Related
Sep 26, 2011
i have an ASA 5520 8.4(1) with following config
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!
i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?
View 1 Replies
View Related
Oct 29, 2012
We have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
View 3 Replies
View Related
Nov 4, 2012
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
Network Object Group
+ JQ Group
- JQ-Test
- JQ-Test2
- JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
Network Object Group
+ JQ Group
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
View 1 Replies
View Related
Aug 5, 2011
We are facing the problem in ASDM 5.x creates duplicate network object groups in the configuration when PIX with software 7.0.7 is used.
Audit report its showing below commands :
asdm group SALES_ref dmz2 reference SALES object-group network SALES_ref network-object 172.20.7.8 network-object 172.20.10.3 network-object 172.20.11.2
no access-list dmz2_access_in extended permit tcp object-group Network_10.10.1.0 object-group SALES object-group SALES_Ports access-list dmz2_access_in line 200 extended permit tcp object-group Network_10.10.1.0 object-group SALES_ref object-group SALES_Ports
i was created SALES object group 2 month back after that ASDM Automatically created the duplicate object with SALES_ref name and changed the old ACL.
View 3 Replies
View Related
Oct 25, 2011
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
View 1 Replies
View Related
May 10, 2011
I am troubleshooting a s2s vpn between an ISR871 and my ASA5520 and I suspect a problem with my crypto-maps.
Is there a way I can display an access-list on the ASA and have the object names substituted with their IP addresses?
View 5 Replies
View Related
Sep 19, 2011
After reading the post titled "ASA 5520 nat access-list query for internet access" I realized the object-group command could and should be used to make a more efficient and cleaner configuration. My current environment is very small and straight forward consisting of one FTP server in the DMZ. Though the guide: [URL] is straight forward, my inexperience hinders me from seeing how to use the commands effectively. A summary of the configuration is at the bottom of this post
Question: How can I clean up my current configuration? I have two references to the same server, dmz-rdp and dmz-ftp, created for port forwarding ports 3389 and ftp through the outside interface. I can combine them into one object statement, right? for each port I want to forward through the outside interface?
object network dmz-rdp
host 10.10.10.4
nat (DMZ,outside) static interface service tcp 3389 3389
[Code]....
View 1 Replies
View Related
May 2, 2011
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
View 5 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Jul 20, 2012
i have the asa5505 with asa8.4.5 and asdm 6.4.2. my asa work like site to site vpn with the other asa5505. i would be love that monitoring status of VPN. i enabled on asa logging, i puted address of smtp server, receipent email, source email, the problem is because my smtp server require authentication, TLS. how set configuration on asa5505?
configuration of logging for send notification on email.
View 3 Replies
View Related
Aug 22, 2012
Our client has a vendor who needs to establish a VPN tunnel to their own router which sits behind our Firewall.
VPN Concentrator (Vendor) <------> ASA5505 Client (7.2) <-------> 3750 Switch <-------> VPN ASA outside Interface - 208.64.1x.x4 DG - 208.64.1x.x3
ASA Inside Interface - 172.20.58.13/30
3750 Switch Interface Connected to ASA - 172.20.58.14/30 and DG - 172.20.58.13
3750 Switch Interface connected to VPN router - 172.20.58.21
VPN Router Interface connected to the 3750 - 172.20.58.22/30 DG - 172.20.58.21
I have also attached a Visio for this and the running configuration from the ASA and 3750. We don't have access to the TNS VPN router. Our responsibility is to just to make sure the tunnel comes up.
1) Create a static NAT on the ASA for Public to Private IP of the VPN router
Public - 208.64.1x.x5 / 28
Private - 172.20.58.21 / 30
Will the ASA automatically ARP for this address or do i have to configure another interface on the ASA with this public IP?
2) What would the access list look like on the ASA?
3) The client gave us some config to copy the stuff on the ASA so that they can create the tunnel but i couldn't put those commands in the ASA. How would this be applied and on what interface?
Firewall Access: The following information pertains to access between the VPN router and the
VPN concentrator. If a firewall/router is present in front of the VPN the following services need to be
allowed:
permit esp host 208.224.x.x any
permit gre host 208.224.x.x any
permit udp host 208.224.x.x any eq isakmp
permit udp host 208.224.x.x any eq non500-isakmp(code )
View 2 Replies
View Related
Mar 8, 2011
I would like to configure a cisco ASA5505 IPSEC VPN. I used the wizard and tried to connect to the outside .. does not work .. The network is configured in this manner: - ADSL router with public address and internal address 192.168.2.1 -> firewall interface inside and outside 192.168.2.2 192.168.3.1 (my network is 192.168.3.0). I used a VPN to the pools ranging from 192.168.4.1 to 192.168.4.100.
INTERNET ----- ROUTER ------ ASA5505 -------LAN
What should I change? there could be problems between the router and firewall?
View 6 Replies
View Related
Mar 17, 2012
i have the asa5505. the configuration of asa 5505 is:
: Saved
Code...
i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows. where i made error?
View 0 Replies
View Related
Mar 22, 2012
We have had an ASA5505 for close to two years. About a year ago, we added a second ISP ("BOB") which became our primary and our old one (SBC) became our backup. I successfully modified the config for this and it's been working well.
Now we're changing our primary ISP to Comcast and getting rid of BOB, so right now we actually have 3 ISPs coming into our building.
I removed the BOB interface and routes, then added an interface for Comcast using an IP address from the range they provided as well as a static route to the gateway they provided - everything is analagous to the previous interfaces and routes, but it doesn't work. If I physically disconnect the Ethernet cable going to the Comcast cable modem, then the ASA does fail back to the SBC interface as expected. If I put the BOB interface & route back in there, it works again through BOB.
If I connect a PC to the Comcast cable modem and use an IP/Gateway they provided, the Internet connection *does* work. Using this same exact IP info in the ASA doesn't work.
Is there some other configuration item besides interfaces and static routes that I should be modifying? Is there some way I can dig deeper into the ASA to see exactly what is failing?
View 2 Replies
View Related
Apr 8, 2012
I teach in a High School and we've got about a 300 node MS Windows Network. Two MS2003 File Servers act as my DNS/WINS/DHCP servers. We have been using a WATCHGUARD FIREBOX III to act as the router/gateway between the outside external address and my internal (10.0.0.1) gateway address. All p.c's inside the network are routed to one of the Servers (10.0.0.2 or 10.0.0.4) for DNS/WINS/DHCP addressing. The servers point to 10.0.0.1 for gateway.
We are trying to replace the Watchguard Firebox with a CISCO ASA 5505 (eventually we'd like to implement VPN). When I connect the CISCO ASA, I get no internet passthrough at all.
View 1 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Jan 9, 2012
There are two issues which are testing my resolve.
1) Bad Cryptochecksum Ignored error
2) Unable to boot to a save startup-config file.
I want to take the configuration from one ASA 5505 and move it to another ASA 5505. I copied the startup-config file from an ASA 5505 running asa821-k8.bin to an ASA running 8.222-k8 to flash using tftp. I set the boot config parameter on the new asa to flash:/startup-config which is the location of the startup file. If I use copy run start command, I over write the startup file. When I copy the startup configuration to the running configuration I get a Bad Cryptochecksum Ignored error and the startup file does not copy over to the running file. How can I resolve this issue?
View 1 Replies
View Related
Oct 17, 2011
Client has an ASA5505 anchoring an MPLS network. One of their branch offices is experiencing frequent circuit outages due to theft of copper lines. I am looking at an 881G with wireless aircard as a backup solution and creating a VPN tunnel to the ASA but am unsure about how to handle routing on the ASA. There will already be a route for the branch subnet for the MPLS network.
View 2 Replies
View Related