I'm trying to use port redirection to allow outside access to a internal web server. As far as I can see, everything is configured properly. The Open Port Checker tool from yougotsingle.com says that the port (80) is open. However when I goto access it the connection times out. The external address is static from my ISP, and I will call it xxx.xxx.xxx.xxx. The server is at 10.1.1.20, and is functioning properly over the LAN.
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
I'm new at the ASA5500 domain. I have a question: How can I redirect traffic coming on a port to a machine inside the LAN listening to another port ? I would like to use ASDM.
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25 212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
We have 2 TS (Terminal Servers) and have configured the 1st RDP using my public address (say 8.8.8.8) on port 3389. it is working very well of course. However I need setup my 2nd TS but will use port 7777 on the same public address which is not working.I am using ASDM 6.3 and firmware 8.3.1.Is this a limitation for this IOS?
I'm having issues both with port forwarding and VPN with my PIX. I've tried different ways to set up port forwarding for remote desktop, but I still haven't had any luck.
With the VPN, I can secure a connection into the PIX, but I cannot access the internet or ping any of my devices on the remote network.
I have CSS in single arm deployment model. I want to configure port redirection for the servers. Servers are actually running web service on port TCP 3636. Which is accessibale by VIP http://192.168.200.87:3636 but I dont want to give user this URL I want the user to use standard HTTP URL as mention below, I want user to open http://192.168.200.87 and once they access this URL automatically CSS redirect them to port 3636. How I can achive this. I am using IP addresses for the load balancing.
I am using cisco 5520 for my RAS & site - site VPN's. backbone 6509 --> CISCO 5520--> ISP router with 3 ethenet interfaces.From cisco 5520 there r 2 connections to router, one for sit-site vpn outside interface and the other for RAS outside. I want to configure url redirection on 5520 so that when someone from outside access public IP it should forward it to the server in LAN. I want to use the interface hosting RAS for this.
I currently have WCCP redirection setup on my ASA 5520 to redirect to an ironport on ip address 10.11.1.10. The ASA inside ip is 10.11.1.1 and the ironport is setup for transparent redirection to that IP. This all works well and the Service Identifier i'm using for WCCP is 95.I am now creating another WCCP group because on my ironport I have 4 interfaces so I wanted to use them for our admin network. So I created an ACL on the ASA for our admin traffic and I want to redirect that using Service Identifier 94 to the ip on the ironport of 10.11.1.22. But I can't get traffic to redirect.
I have the following topology, WCCP is configurated on ASA, inside interface, lan users and websense machine are located on the same VLAN of my catalyst 3750G?I want to filter traffic on port 80 (www) to the users on the LAN side debug on the ASA show me that comunication between that device and Websense is OK, there is Here_I_Am and I_See_You packets
WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015B WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015B WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015C WCCP-PKT:D00: Received valid Here_I_Am packet from WEBSENSE_PROXY w/rcv_id 0000015C WCCP-PKT:D00: Sending I_See_You packet to WEBSENSE_PROXY w/ rcv_id 0000015D
From show WCCP i saw that WCCP engine and ASA were detected
FW# sh wccp Global WCCP information: Router information: Router Identifier: 200.X.X.X Protocol Version: 2.0
I would like to do something verys imple with IPTABLES but i canno't find any "simple" way to achieve...iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/24 -p tcp --dport 80 -j DNAT --to squid-box:3128.The idea is to redirect any connection to any host which try to connect to port tcp 80 being redirected to a server called squid-box on port 3128.I have seen that for proxy squid implementation with ASA i had to use wccp but for my personnal understanding.
I have a ASA5585 running 8.4 that is redirecting Internet http to a websense server via GRE.The integration is working fine, except when a user PC sends a large packet (~1500 bytes).With WCCP/GRE headers, the user packet is too large to be transmitted to websense, so the ASA fragments the packet in two and transmits both to websense.
A sniffer trace confirms that both fragments reach the websense server, but the TCP packet is never acknowledged.User-side TCP retransmits the large packet three times over 15 seconds, and eventually retransmits fine with smaller packets. The 15 second delay is of course not acceptable.Users and Websense server are both on the Inside interface.
We are considering imposing browser proxy to websense (which works fine), but would prefer not, considering the increasing diversity of devices.
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection. Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.
However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.
Ive got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
I am trying to set the PIX firewall to transparent mode.After I set it to transparent firewall, I allowed all icmp, tcp, udp traffics.Currently, any devices in the inside network can get the ip automatically from DHCP server in the outside network but cannot ping to any servers in the outside network either access the internet.Do I need additional confiration on the firewall?
Here's the configuration:
PIX Version 7.0(1) firewall transparent names ! interface Ethernet0 [Code]....
I have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:
\I just configure my PIX 515E with version 7.0(4) and having problems to get traffic out on eth0 (if name outside). There is no problems between different VLAN ,all VLANs are configure on eth1. It is also possible to accass services on VLAN 10 (DMZ) from outside. The only thing I see in syslog is "Built Outbound" and "Teardown".
I have a Pix 515E running PixOS version 8.0.4 with two interfaces, inside and outside.On the inside interface, I have a Redhat Enterprise Linux 5.4 64 bits machine as an NFS server version 4 (NFSv4).On the outside interface, I have three (3) Redhat Enterprise Linux 5.4 64 bits as NFS clients.I am looking for the exact UDP and TCP ports to be added to the ACL in order to accomplish
I need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
I have an issue in the Cisco PIx 515e series. The IOS is 6.1(2).I have set sepecific access-list to allow incoming traffic to inside interface. But still the TCP 3-way handshaking is dropped here. [code]
We just switched over from a T1 line to 50/4 Mbps cable Internet. The speed was fine with the T1, but when we switched over to cable, the download speeds didn't increase. I'm getting 2-3 Mbps up and still only 1.5 Mbps down. I inherited this network a few years ago, so I didn't configure the Pix initially but I have been managing it and can't find a setting limiting the bandwidth for the liffe of me. I know it's not the Internet because when I connect a computer straight to the modem, the speed is great. As soon as I put it through the Pix though, it slows way down.
I have Cisco PIX 515E for my Lab and can't recover the password. It is not connected to the network. I have configured server, address, gateway from the monitor mode and tftp not seeing my laptop. best way to reset or recover password.
I've been struggling to get ASDM (PDM) installed and running on my PIX 515e. The PIX IOS version is 7.2.4(30) The ASDM version I've copied to flash is 524.
I've followed the Cisco documentation verbatim, however I still cannot connect via the Java ASDM client or via http. When I try to connect via http, my PIX shows the following error: "tcp access denied by acl from..." I do not this this is a security (ACL) issue as I've tested after opening everything up and still no luck.
Here's my running config (w/ the relevant statements prepended with ">>>"):
I have the following Pix 515E Firewall, that has been working good for a few years. But suddenly, the Pix stop booting up. The only thing that is happening is the power and network traffic led flashes and the active led is off. So my question is that is this symptom a hardware or software problem and is it fixable with either new parts; or is my firewall dead. I suspect that it is a hardware problem since the active led doesn't light up. I cann't even enter the ROM Moniter mode.
