Cisco Firewall :: One To Many NAT Rules To Same DMZ IP ASA 8.2
Dec 5, 2011
Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work. I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0 (where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall. However, when I test the VPN from outside the company, I find I can get to whatever server I want to. There is no allow any/any. I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
The only thing I could think of is that we are using the account management in the firewall to authenticate the users. I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.
I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
this is the relevant config:
interface Port-channel2.4 description Public TESA ADSL internet connection vlan 7
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?
Then only allow certain ip's access to the entire internet like this...
Internet_User_Group
It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.
I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?Also when a traffic is being allowed, I want to know through which rule number its being allowed?
Note If you configure VPN, the client dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.
I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
I have a firewall enabled cisco 877 with these rules.
Interface Dialer0 IN 10 deny ip 0.0.0.0 0.255.255.255 any 20 deny ip 10.0.0.0 0.255.255.255 any 30 deny ip 127.0.0.0 0.255.255.255 any 40 deny ip 172.16.0.0 0.15.255.255 any 50 deny ip 192.168.0.0 0.0.255.255 any 60 deny ip 224.0.0.0 15.255.255.255 any 70 deny ip 240.0.0.0 15.255.255.255 any 80 permit tcp any any eq 22 (8810 matches) 90 permit tcp any any eq 242 100 permit udp any any eq snmp 110 permit icmp any any echo (6 matches) 120 permit udp any any eq non500-isakmp (3 matches) 130 permit udp any any eq isakmp (1 match) 140 permit tcp any any eq www (26 matches) 150 permit udp any eq domain any 160 permit tcp any any established (6 matches) 170 permit tcp any any eq smtp (2 matches) 180 permit tcp any any eq pop3 (3 matches) 190 permit tcp any any eq 443 200 permit esp any any 210 permit ahp any any Interface Dialer Out 10 permit ip any any
This rule which is its function?"permit tcp any any established"
I have made a firewall rule that accepts FTP from WAN2 outside to the inside private LAN with IP address specified.But this didn't work.When I added in the forward rules that FTP had to be forwarded to this IP address it worked.I have done some testing but it seems that the firewall rules do not have any priority on the forward rule.If I disable the forward rule i cannot connect with ftp even with a firewall rule made.
In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.
We have a pair of ASA running 8.0 (old) version. The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.But practically , this doesnt work, since the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?
On my RV042 (I used it for a couple of years now without issues), the DIAG led light amber (steady). It's not documented in the user manual.User manual says only:,Diag (Red) The Diag LED lights up when the Router is not ready for use. It turns off when the Router is ready for use.",Router does not work anymore and I can't access its web page as I used to do before this problem.I did a reset to factory default (reset button hold for more than 30 sec.) but it didn't change anything.
I have a static IP block and need to route to various servers. I know I can use 1:1 NAT or Access Rules and have success with each. The problem is my mail server. When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups. However, I cannot block any ports when I use 1:1 NAT. I have tried it every way I can think of and even some suggestions in the forums that did not work. No matter how I set access rules, all port stay open in 1:1 NAT.
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address. The reverse DNS does not match and mail server will bounce the mail.
We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ 192.168.2.0/24, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?
I purchased a RV180 router, and would like set the Firewall Access Rules as below
- Action: Always Allow - Service: HTTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address) - Action: Always Allow - Service: FTP - Source IP: Any - Send to Local Server (DNAT IP): private ip (192.168.1.xx) - Use Other WAN IP Address: Enable - WAN Destination IP: one of public ip (different of the router WAN ip address)
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?
we replaced our PIX525 firewall with an ASA 5540 firewall, and now we see some strange behavior in ASDM.ASDM does not display all the rules, but i see all all the rules in cli.
I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, any rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?
I would like to know if ASA 5550 appliance is able to handle SCTP (IP protocol 135) stream in terms of allowing/filtering based on FW rules. We have a problem, though we allowed SCTP IP prot to go through an interface, however I can see that 135 packet are permanently discarded in live monitor. I found some hints here[ URL } but it still seems to me as an assumption
Our company has recently upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform. Needless to say the interface on the Cisco platform is much more complex and I don't have much experience working with firewalls. Our other IT guy is out of town and this is the first time I have worked on this setup.
I need to create the following access rule
I need to open port 4**0 to be allowed through the firewall from external ip address 10.XXX.XX.XXX only. Then forward port 4**0 to 10.XX.XX.XX port 80 tcp
I have a rule which permits traffic to a web server and logging is enabled. But when I go to syslog I am only seeing traffic which has been denied. What needs to change to be able to see the logged traffic on permit rules?
I have a SRP547W that I have configured the following way:
LAN 192.168.15.1/24 VLAN1 LAN 10.10.10.1/24 VLAN10 LAN 10.10.2.1/24 VLAN100 PPPOE ADSL Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK
I now want to use the Advanced Firewall features to block all ports except those that I need as the software DMZ forwards everything. When I try to create the rules I get "the values are invalid" message no matter what I try.
I want to create explicit allow rules, followed by a deny all rule for each of the IP addresses used for the software DMZ
Have I got the Subnet Mask Correct for the Destination IP? Or should it be 255.255.255.0? It doesnt make a difference either way
Policy DetailsNameValueSource IP Address0.0.0.0Source Subnet Mask0.0.0.0Destination IP Address10.10.10.xDestination Subnet Mask255.255.255.254ProtocolAnySource PortAnyDestination Port443ActionPermitScheduleEverydayTimes24 Hours
I have a new (about 4 months old) RV042 V3 4.0.0.07 firmware that I am trying to use in fail over mode. I have a SOHO and I normally use cable Internet connection. It is quite fast (15 megabit), but not super reliable. I have added DSL (3.3 megabit) which is five nines (supposedly) but not so quick.
I have a Westell 7500 wireless DSL modem located in the basement, where the telephone lines enter the building. This gives me a wireless link to the second floor server room through a wireless router that connects to WAN 2 of the RV042. The cable modem is in the server room and connects directly to the WAN 1 of the RV042. The cable works, but when it goes down, the DSL link comes up but does not allow Internet traffic. The RV042 is set up as a Bridge and I have set up port forwarding to get the cable to work and used similar firewall commands to route the traffic if the router switched over. I suspect that the problem is in the port forwarding (port 80) or the firewall rules(which are pretty simple) because everything looks like it switches over, but it just doesn't work on WAN2.
