Cisco Firewall :: Policy NAT Setting Doesn't Work On PIX 6.3(3)
Nov 30, 2012
I have a server in a network DMZ (IP 192.168.40.43) need to do discovery of other IP address to update the IPAM tool. It should not be done source NAT so I´m trying to use the configuration below with Policy NAT but isn´t working:
nameif ethernet1 inside security100
nameif ethernet5 dmz8 security55
!
ip address inside 10.56.12.93 255.255.252.0
[Code]....
It´s following message appears "% PIX-3-305005: No translation group found for icmp dmz8 srv: 192.168.40.43 dst inside: 10.38.36.50 (type 13, code 0)".
View 10 Replies
ADVERTISEMENT
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Nov 14, 2011
I have one outside interface with global IP address 1.1.1.1 and two inside.Both inside interfaces restrict and non_restrict have private IP addresses.I tried to filter some URLs on PIX515 IOS 7.2, only on restrict interface but my filter does not work.I can access prohibited URL from restrict interface. What's wrong in my URL filtering?
Here is my config:
PIX Version 7.2(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
[code]....
View 1 Replies
View Related
Jun 3, 2013
A couple of weeks ago, one of our ASA 5505s failed, and Cisco TAC shipped out a replacement. I was on vacation, and my assistant worked with TAC to get our backed-up configuration restored to the new hardware. This backup was just a copy & paste of the "show start," rather than an export done from ASDM. Anyway, since I got back on vacation I was able to iron out all the wrinkles from the configuration restore, except one. The remote access VPN isn't quite working. This VPN is only used in emergencies, when I can't access that branch office's network via our WAN.
What's happening is that clients are getting "authentication failed" messages when connecting. On Windows, it's an error 691. The VPN is set to authentication against RADIUS (Microsoft IAS server). The IAS server reports that the connection and authentication is successful. AAA RADIUS authentication tests on the ASA succeed, as do authentication & authorization LDAP tests. Basically, everything was working fine before we swapped in the new hardware, and I've gone over the configuration with a fine-toothed comb to ensure nothing's changed -- but clearly, I'm missing something. The new ASA is otherwise operating perfectly.
View 3 Replies
View Related
Feb 15, 2012
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CaaaA01
domain-name example.com
[code].....
View 2 Replies
View Related
Dec 21, 2010
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).I'm using the newest Releases:Cisco Adaptive Security Appliance Software Version 8.3(2) Device Manager Version 6.3(5)
My asa config just the interesting part:
crypto ipsec transform-set trans esp-3des esp-sha-hmac crypto ipsec transform-set trans mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dyno 10 set transform-set transcrypto map vpn 20 ipsec-isakmp dynamic dynocrypto map vpn interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400no crypto isakmp nat-traversal
[code]....
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....I tried many templates from the net but nothings works.
View 5 Replies
View Related
Jan 2, 2012
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host 10.0.2.2 any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
match ip address 101
set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
View 2 Replies
View Related
Jan 5, 2012
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
These are configuration lines:
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000
[Code]......
View 1 Replies
View Related
May 12, 2013
I'm trying to build different content security scenarios for a potential deployment of ASA5500-X series firewall with CX module and ran into a trivial problem. A simple access policy has been configured to deny Skype. It's as simple as it sounds. To my surprise I don't see that it is being enforced.I have all my pending changes committed, events are now showing with hits, see attached print screens. Tried to start Skype on my PC with the source shown on the print screen it and don't see any effects of this policy.
As a side note, I know for sure that other type of filtering does work, i.e. I have configured a deny filter for gambling URL category and it seems to work nicely.
View 3 Replies
View Related
Apr 5, 2011
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
[Code]...
View 2 Replies
View Related
Jun 10, 2013
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA#
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA#
JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
View 5 Replies
View Related
Dec 10, 2011
I am trying to remove a line in a particular access-list configured in a FWSM module using this command "no access-list <acl> line 19 x x x x" but it doesn't work. See below:
FWSM/xxx03(config)# no access-list ?
configure mode commands/options:
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny
[code]...
How can I remove a line from the access-list without clearing the entire access-list?
View 3 Replies
View Related
Jun 26, 2010
I am using ASA5520 with webvpn for file sharing. But recently we just upgraded the OS that accommodate file shared folder from win2003 R2 32bit to windows server 2008 R2 64bit. Now I have a problem with accessing file share by ASA webvpn, it appears error contacting host, we have tested the file shared of webvpn on the other OS windows 2003 and windows 2008, they are working on these OS except win2008 R2. Current the ASA OS version is 8.0(2). And the windows firewall has been disabed.
View 3 Replies
View Related
Feb 21, 2013
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
View 5 Replies
View Related
Dec 20, 2011
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
View 6 Replies
View Related
Mar 7, 2012
I'm just about to trade-in an E4200v2 for a E4200v1, primarily to regain the "Internet Access Policy" capability.
Just wanted to do a reality check with those of you who tried/use IAP... does it work basically as advertised?
I would be using IAP to specify MAC addr's of devices, blocking them from certain URL's and limiting their hours of Internet access.
And I plan to have Linksys's DHCP Server turned OFF, since my Windows Server handles DHCP on my network.
Should I expect all of this to work OK? No major reliability problems with IAP?
View 5 Replies
View Related
May 16, 2011
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
View 11 Replies
View Related
Oct 19, 2012
The company I work for has a system that our employees clock in on called UNIX (ancient program). I have an iSSH app on my iPhone that I can now log in to as long as I am on our wireless network here at our office. However, I have to travel alot and usually I'm gone during the day that all our time corrections have to be adjusted and turned in. I just log into my Unix program and adjust it...however if I'm out of town I have to do the entire thing over the phone with a lady in our book keeping department and it's incredibly annoying and time consuming. So we're looking for a way to be able to access our system through my iSSH app while on cellular network rather than being here at the office. My administrator wants me to find this out so that all our department heads can do this. I don't have any way of getting our internet provider to set up a port forward, so the only information I have to work with is our static IP address, our default gateway, our subnet mask, and the primary and secondary dns servers.
View 8 Replies
View Related
Jan 11, 2011
I have an problem with VPN connection on notebooks. Sometimes the VPN connection works perfectly, and other times it just doesn't work at all.The Cisco VPN client software is version 5.0.04.0300. Operating system is Windows XP Prof SP2.When the connection fails, the client statistics window shows "Bytes Received: 0".Rebooting the system, has no effect
View 1 Replies
View Related
Jan 27, 2011
Normally, when one right clicks on a drive letter having opened 'My computer', then select 'Sharing' there is a warning about sharing a whole disk and the option to accept anyway.One laptop doesn't offer that. It just shows the admin share of C$ immediately. If I choose 'New' at the bottom of the panel a new drive letter and drive name can be entered but it can never be accessed over the network! It shows up in the workgroup but I get a network error 'Network path not found' if I try to access it. I can ping the laptop from anywhere by name and IP address.The laptop can access all the other PCs without any problem.
View 12 Replies
View Related
May 21, 2013
my LMS 4.2, syslog collector on LMS doesnt working even service syslog collector running normaly and also i saw in syslog_info is working to collect syslog from all router but not show up in dashboard monitoring.I have setting on every router to logging (ip address LMS) but on LMS no any syslog from router can collect.i did a selftest from LMS there are all PASS except nslookup fail, it is has relation with syslog not show up on dashboard?
View 5 Replies
View Related
Jun 29, 2012
I bought cisco AP (air-ap1142-e-k9) and we know this ap works with 802.11a/g/n same the description note on the package cartoon but my problem is when i configure that ap its work only with 802.11a/g i tries to make it works with 802.11n but fail .
View 3 Replies
View Related
Jan 26, 2011
I'm trying to configure Cisco CISCO881G-K9 3G router to connect to mobile network without success. The cellular interface gets up but it doesn't receive IP address. It seems that profile isn't activated and it should've been.
I've attached running config and some other information gathered from router.
View 7 Replies
View Related
Nov 20, 2011
Cisco ASA 5505 ver 8.4. Most things work but now I want to setup a vpn connection..I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli. And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that) Googling on those gives a few suggestions none works. All I get in the log on Cisco is the "Error processing payload: Payload ID: 1" Google on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...) For the cli config, I followed this tutorial carefully (3 times actually...) url...I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue. Ports opened on Cisco: 500, 1701, 4500 (For a try I opened all ports, no change.) And here's the "show run". [code]
View 2 Replies
View Related
Jun 4, 2011
.We are setting up a new sales office where there will be between 5-10 users.At the moment, we run everything of one server which has all the file shares, printers. Active Directory etc. I know so far I will need the server cabinet - But my main concern is how I will make this new site connect to the already existing network and the other things which I will need.
View 4 Replies
View Related
Mar 11, 2011
So, my desktop, running windows 7, can no longer connect to the internet. It has no problem connecting to the router, but it will not receive packets. I double checked my connection using my laptop and it works with wireless and wired connections, so I know it's something with my desktop. I would really like to avoid doing a reinstall, I don't have anywhere to back my data up to.
View 5 Replies
View Related
Jan 16, 2012
Whenever my main PC is turned on, i get no signal from the wireless, like i cannot use my phone or laptop on the internet i use an Ethernet cable which is directly connected to my main PC my windows is also window XP and my modem model is TG782T only if my PC is turned off the wireless works
View 2 Replies
View Related
Aug 17, 2011
I have been having problem with my internet lately. I live in UK and there is this game that I used to play that has a region IP block so I have to use Hotspot shield to play,but now my internet doesn't connect to Hotmail or this forum unless hotspot shield is turned on. How can I fix that? I tried config/flushdns but no luck. I am using window xp.
View 1 Replies
View Related
Sep 20, 2012
We have recently switched routers and now my laptop doesn't work wirelessly; it connects to the router but there isn't an internet connection. The laptop works fine when the LAN cable is plugged in though. Our other laptop can connect to the internet with or without the LAN cable. Both are Toshibas running on Windows Vista.I have tried various approaches such as downloading the latest Atheros AR5007EG drivers but it said that they're already the most up to date. [code]
View 5 Replies
View Related
Jun 16, 2011
I purchased a used Compaq laptop with a Realtek USB wireless adapter. The laptop came with XP Pro. I connected the adapter and everything worked great. My husband got a virus I couldn't remove. I have the CD for XP Home so I did a clean install.Windows works fine. I connected the USB wireless adapter and ran the installation disk. When I open Realtek to connect nothing appears in the available networks. I checked the device mgr and it says Realtek is working. I turned off my 2Wire gateway and then reconnected it. I doubled checked that the Windows wireless utility is disabled. Still no available networks. Everything was fine before the reinstall of Windows XP Home.
View 5 Replies
View Related
Nov 5, 2012
It's a 64 bit machine, with windows 7. He fills out surveys and gets money from them, and I don't like to work on his machine because of this. But... He called, so I came over and Anyhow... I'm worried that the Ethernet has gone bad on the motherboard, but they bought a USB stick for wireless internet, and that didn't work either.I realize I have basically no worth while informationHis router works fine, if you plug in another computer it can connect to the internet, but his computer can't. Something is turned off as far as I can tell. And I can't figure out how to turn it on.
View 5 Replies
View Related
Oct 20, 2011
I have a cable that is not working on the router end or the computer end. Could I have the wrong cable? The writing on the package is: Category 5E patch cable 350 MHz UTP Standed 24AWG PVC jacket, molded boot. 50U" plugs complies with FCC part 68Cat5e patch cable, RJ45-RJ4524 AWG stranded, 568B
View 2 Replies
View Related
Jan 16, 2012
Whenever my main PC is turned on, i get no signal from the wireless, like i cannot use my phone or laptop on the interneti use an [COLOR=blue !important][COLOR=blue !important]ethernet[/COLOR][/COLOR] cable which is direclty connected to my main PCmy windows is also window XP and my modem model is TG782T
View 2 Replies
View Related
