Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
 
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
 
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
 
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
 
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
 
Some background:
 
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
 
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
 
taz(config)# sho ver
 
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
 
Compiled on Fri 07-Jun-02 17:49 by (code)
 
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: Blocking Outbound Port 80 Traffic Using ASDM On ASA 5510

Nov 26, 2012

I am attempting to block outbound traffic for a specific PC on my LAN using the ASDM.

View 2 Replies View Related

Cisco Firewall :: ASA 5510 ACL For Blocking Outbound SMTP

Jan 30, 2013

I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
 
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
 
-access-list 102 extended deny tcp any eq smtp any eq smtp
 
-access-list 102 extended permit ip any any
 
-access-group 102 in interface inside
 
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.

View 1 Replies View Related

Cisco Firewall :: ASA5505 Blocking Outbound IPSec VPN Client?

Jun 20, 2011

I have a XP workstation behind my ASA that can not connect to a client's network via Cisco VPN Client using IPSec...
 
In the logs it shows the translation is working on 500 but the VPN Client has the error 412, that the client is not responding.
 
Config below
 
ASA Version 8.2(1)!hostname RWFW1enable password encryptedpasswd encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address x.x.x.x

[Code].....

View 16 Replies View Related

Cisco Firewall :: Enabling Outbound Traffic Through ASA 5520 8.4(4)1

Apr 4, 2013

We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
 
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
 
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
 
I've also enabled IPSec pass-through Inspection to no avail.
 
how should we configure our ASA to enable this kind of traffic?

View 4 Replies View Related

Cisco Firewall :: ASA5505 - Outbound Traffic Ceases Even Though Port Is Up

Mar 10, 2011

I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years.  In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity.  Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
 
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA.  It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
 
I have tried the following without success:

1) I completely wiped the configuration (configure factory-default)

2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
 
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
 
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex).  It was previously set to be auto-negotiation (default) on both speed and duplex.  As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
 
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
 
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.

View 13 Replies View Related

Cisco Firewall :: ASA-5510 Dropping Outbound SMTP Traffic?

Aug 21, 2011

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
  
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
 
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:   JWillar@email.com on 8/21/2011 9:49 AM  Could not deliver the message in the time limit specified. Please retry or contact your administrator.  <630.SM.Local #4.4.7>
 
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
 
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.

View 13 Replies View Related

Cisco Firewall :: Blocking P2P Traffic On E2500?

Feb 15, 2013

networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?

View 1 Replies View Related

Cisco Firewall :: 2921 - ZBFW Not Blocking Traffic From DMZ

Apr 22, 2013

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
 
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

View 5 Replies View Related

Cisco Firewall :: ASA5505 - Blocking Internal Traffic Between 2 Servers

Oct 25, 2012

I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
 
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
 
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
 
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
 
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
 
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

View 15 Replies View Related

Cisco Firewall :: ASA 5540 Blocking Legit Traffic From Inside

Aug 21, 2011

I just made a move from a PIX 506 to an ASA 5540.  I have a user that currently logs into a web portal and runs a job.  It is now erroring out.  When I run the test it gives me the following message:
 
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
 
One or more tests have failed
 
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing.  Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack. 

View 1 Replies View Related

Cisco Routers :: RV110W - Firewall Blocking All Inbound Traffic

Apr 5, 2013

I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly.

View 2 Replies View Related

Cisco Firewall :: ASA 5505 NAT Rules Blocking Inside Traffic

Jan 7, 2012

Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]

View 10 Replies View Related

Cisco Firewall :: 5520 / 4510 - ASA Is Blocking For Returning Traffic

Apr 2, 2012

My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.

Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
 
is there any way to traffic will go via same Firewall & comeback on same firewall port?

View 1 Replies View Related

Cisco Switching/Routing :: Firewall On 1921 K9 Blocking UDP Traffic?

Apr 18, 2012

I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.

Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
 
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
  
Building configuration... 
 
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!

[Code].....

View 2 Replies View Related

Cisco WAN :: Blocking Secure Sites 881

Nov 15, 2012

I using 881 cisco router and want to block secure sites. I am using classmap to block sites and accesslist to block secure sites. Now the issue is if i need to block youtube, and if doing tracert the IP of google and youtube is in the same subnet.
 
If i am blocking that IP, google is also blocking with youtube which i does not want. Need blocking youtube secure site only.I am also attaching tracert for both the sites.

View 2 Replies View Related

Shorewall Is Blocking Webmail Sites?

Sep 14, 2011

Shorewll is blocking al webmail sites like [URL] etc. Whereas I am able to visit all other sites successfully.

View 3 Replies View Related

Internet Connection Accidentally Blocking Certain Sites

Nov 26, 2012

I am currently at university, using a Local Area Connection. I am aware that the university blocks torrenting which I am totally fine with though when I try to carry out a process such as posting a large entry on Livejournal.com or Dreamwidth.org, it tries to load for a couple seconds and then fails. When in Google Chrome, it says that it's "uploaded 100%" but then I receive "Error 7 (net::ERR_TIMED_OUT): The operation timed out.". When using Internet Explorer, it either doesn't load at all or I get the standard "Internet Explorer cannot display the webpage". When I try to carry out a different process on dreamwidth and livejournal (editing my layout), Chrome tells me "Error 101 (net::ERR_CONNECTION_RESET): The connection was reset." These issues always happen no matter when I try them.

View 2 Replies View Related

D-Link DIR-655 :: Router Blocking University Sites

Jan 13, 2012

So I can't seem to access ANY site related to my university (www.concordia.ca) anymore from my home network. I've tried to visit URL or any of its' sister sites from my desktop, my laptop, my iTouch, even my ps3, I've also tried cross-browsing to no avail. I've checked the router page, apparently my Hardware Version is B1 and my Firmware Version is 2.00NA. Access Control is unchecked and there are no sites at all listed under Website Filter. I've also tried resetting using the reset-hole and also by pulling off the power chord. Also did a factory-reset from the router page, the problem persists despite all of that.Every other site works just fine, it's just my university site that refuses to load up. I've browsed the last 7-8 pages of this forum, this doesn't seem to be a common problem based on that little sample. So what gives exactly? I used to be able to visit those sites just fine prior to few days ago.

View 8 Replies View Related

Cisco :: Inbound And Outbound Traffic In BGP?

Dec 6, 2012

I have two ISP, I want to divide Inbound to ISP1 and Outbound to ISP2.

View 3 Replies View Related

Cisco VPN :: PAT Outbound On 5540 For Traffic?

Feb 28, 2011

We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
 
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
 
How is this done in 8.3(2)?  We use ASDM to configure the 5540.  For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.

View 5 Replies View Related

Linksys Wireless Router :: E4200 Blocking ISP Unmetered Sites / Servers

Jul 2, 2011

I am on a 200GB/month 100mbit cable plan with Telstra, and we have a number of sites/servers which we can download from which do not count towards our monthly download limit. Normally there would be 3-4GB of usage per day which was 'unmetered' but since upgrading to the E4200 router, everything that should be 'unmetered' is not being recognised and is being counted towards my monthly download limit - in other words, all traffic through the router is counted as chargable downloads.
 
Im not sure how it all works, but the E4200 router is definitely blocking something out... if i plug directly into the modem or use my previous router (WRT160N) everything works perfectly.

View 7 Replies View Related

Cisco WAN :: 2821 - Split Outbound Data Traffic

Feb 29, 2012

I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1.  I am having an issue where the users on the network are not able to use the internet when using the following config:
 
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50

[Code].....

View 11 Replies View Related

Cisco Switching/Routing :: 2811 Runs ITP IOS / Cannot See Outbound Traffic

Apr 14, 2013

Cisco 2811 runs ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
 
I've tried traffic-export, but I cannot see any outbound traffic. Is there any way to capture the outbound traffic?

View 1 Replies View Related

Cisco Switching/Routing :: How To Setup Traffic Shaping On 4500X Outbound Port To WAN Routers

Mar 26, 2013

We have some ASR WAN routers which have a dedicated 400M interface to a remote site.
 
Servers on our Local network source the data through some firewalls via 10G interfaces, which connects to 4500X WAN switches then to the Routers on 1G links.
 
The sources are rate limiting the traffic but the routers are periodically dropping packets which I think is mostly due to burstiness in the traffic between as it traverses through from 10G links to 1G then to 400M. 
 
How to setup traffic shaping on the 4500X outbound port to our WAN routers.I'd like to see if we could buffer and smoothe out the traffic as it exits the 4500X WAN switch 1G port to the WAN Routers.

View 1 Replies View Related

Linksys Wireless Router :: E2500 Block Outbound And Inbound Traffic On TCP 5222 / 5223

Oct 23, 2012

I am trying to block outbound and inbound traffic on TCP 5222 and 5223 on E2500 but cannot figure out how. The reason is I have kids in my house using KiK (texting app) on iPads, iPods etc.  My goal is to eliminate this applications ability to function for ANY wireless device connected to my WLAN. 

View 1 Replies View Related

Cisco VPN :: Traffic Between Remote Sites Over 2921 Easy VPN

Oct 23, 2012

We have a Cisco 2921 router at the head office (Easy VPN Server) and been deploying Cisco 887VA (EasyVPN remote - Network Extension) for remote offices using EasyVPN. We are allowing Voice and Data traffic over VPN.  Everything has been working great until this issue was discovered today:

When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in either direction.

Calls to/from head office and external mobiles/landlines are fine. Only calls between two remote sites are affected. As there is no need for DATA connection between Remote office, our only concern is Voice support.

I think "hair-pinning" of traffic over VPN interface is needed. (Examples configs etc).

View 6 Replies View Related

Cisco VPN :: 5510 Can't Get Traffic From VPN Sites To Communicate With Server

Oct 31, 2012

I have several VPN sites terminating on a 5510 firewall. all work fine but i cant get the traffic from the VPN sites to communicate with a server on a dmz on the same firewall.
 
a packet trace from the outside to the dmz shows this:Type: VPNSubtype: encryptResult: DROP

ive configured access to the dmz the same as to the servers on the inside. I can get to the inside servers ok.

View 5 Replies View Related

Cisco :: 2500 Wireless Controller Blocking Traffic

May 16, 2012

I have a Cisco 2500 Wireless Controller connected and controlling 5 Cisco AP's.  Everything works fine except one device.
 
This device is used to connect to our AP wirelessly and then any of the wireless laptops can use programming software to connect to the device and program through it.  I can successfully set up our device on the network and all PCs can ping it, but the programming software refuses to connect to it.  I spent an hour and a half on the phone with the device people who assure me its the network.  So, I bought in a cheap Linksys router, hooked one laptop up to it and configured the device wirelessly.  With that, the programming software works.

what should I be looking for in the Wireless Controller that may be blocking direct connection to the device even though I can ping it?

View 10 Replies View Related

Cisco Routers :: Sending All Traffic To VPN And Blocking Internet On Other End - RV042

Dec 28, 2012

I wonder if I can have a RV042 VPN Tunnel to a RV082, and in the RV082 block all traffic to the internet that comes form the PCs that are behind the RV042.
 
Remote PC -> RV042 -> VPN -> RV082 -> RV082 Firewall (block internet traffice, allow intranet traffic)

View 3 Replies View Related

D-Link DIR-655 :: Blocking Traffic On Port 80 Except For Google Earth

Mar 29, 2012

I've blocked all traffic on port 80 (Advanced-Access Control- Apply Advanced Port Filter- All IP range and Port 80 selected) to avoid any kind of Web Access. I won't use Web Filter because there are too many URLs to be blocked.

However I have a problem to keep Google Earth working, since it uses port 80.

Is there a way to keep Google Earth working, even blocking traffic on Port 80? I've tried configuring an application rule to let Google Earth working, but it didn't work (it seems that I can not create an exception for Filter Port) .

View 9 Replies View Related

Cisco Switching/Routing :: ASA 5505 - Blocking Traffic To Specific IP Addresses

Sep 24, 2012

I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network.  Here is the basic layout:
 
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
 
I'm able to get onto the Internet without any problems.  Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x).  However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9.  I've tried using ACL's but end up killing my Internet connection.  192.168.10.1 is the default route and is how I get out to the Internet.  Is this possible?  Essentially, I'm trying to set up a small Network that guests can connect to.  The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
 
Here is the config:
 
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted

[Code].....

View 5 Replies View Related

Cisco Firewall :: Outbound ActiveFTP On ASA 5505

Oct 5, 2011

I'm having some issues getting ActiveFTP to pass through an ASA 5505, I finally found out when I tested the FTP via cmd on windows(after the major hassle of getting credentials out of the software co) that it does open the connection on the control port, but whenever I try to send/recieve data the connection is dropped, for troubleshooting purposes I've even gone as far as opening up all ports 1-65535 with an acl to no avail, I believe the FTP traffic is encrypted with SSL(can't get a solid Y/N from the company).

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved