I was reviewing my ASA config and noticed that port 1025 was being allowed in and statically NAT'd to connect to my email server:
access-list outside_in extended permit tcp any host X.X.X.X eq 1025
static (inside,outside) tcp interface 1025 Y.Y.Y.Y 1025 netmask 255.255.255.255.
I would like to setup an cisco ASA 5505 to only allow certain IP's on port 3389, but i can't get it to work. Maybe some of you experts know why?
Here is my config:
ASA Version 8.4(3)!hostname cisco-asaenable password ** encryptedpasswd ** encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.* 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network rdpuser-1host 46.*.*.*object network rdpuser-2host 48.*.*.*object network rdp-host-pchost 192.168.1.20object
[code].....
The allowed IP's are setup on user level (rdpuser-1 and rdpuser-2) .Still do, I can't connect to the server from any of these IP's...
Me and my friend is currently setting up a Xen test environment. As you can se from the picture below we are running a Cisco ASA 5505 to reach the network from the outside.But the problem is that we want to reach the virtual pfSense's subnet's through the Cisco AnyConnect VPN. And currently the pfSense's are only configured with a public ip and a virtual interface to the VM's.could solve this problem by buying another PCI NIC, so that we have a physical link from the "pfSense box" to a tagged VLAN on the switch.But we are having problems configuring the switch to general vlan's. Cause Xen can't have it's management interface on a tagged VLAN directly from the XenServer,but the switch can tag the packet when it reaches the switchport. I would like to have "switch port general allowed vlan 2" for admin and 10 for "LAN"And then trunk the port to the Cisco ASA. But again, Xen stops me from doing this.
View 2 Replies View RelatedI have a remote site that is using port 4500 for within the isakmp phase of creating a IPSEC tunnel, but for some reason it is also using random port numbers constantly (in bold): [code] These are all blocked by the firewall when trying to communicate with our central router in the trusted network. The central router does not display the same symptoms, it only uses port 4500.Is there a way of preventing the remote router from using random port numbers and only allowed to use 4500??
View 9 Replies View RelatedI need to install laserjet1025 color printer in my PC.
View 1 Replies View RelatedI am using an ASA5550 for a complex secure network that has at least six "outside" networks. Each "outside" network is assigned to a specific port each set at level "0". I also have a DMZ, set to level "50". I am having difficulty with passing traffic from a host in the DMZ to all but one of the "outside" networks. Is there a limit to the number of "outside" interfaces? I will provide a redacted config file as soon as possible.
View 3 Replies View RelatedA user needs to be allowed through the Cisco ASA 5505 firewall to make a VPN connection to 83.1.**.** address on port 1723.
View 13 Replies View Relatedi allowed one of internal ip using static nat and public ip is 203.18.137.22 and i want to check which IP are hit this public ip ?Is there is any command to check which ip is hitting 203.18.137.22? I have the cisco 5520 asa firewall.
View 6 Replies View Relatedi have reviewed this configuration a couple of times and I am not seeing my error. I have two internal subnets, in different VLANs with the ASA being the default router. The internal zone works fine, but the zone called wireless on VLAN 13 doesn't. The firewall blocks all communications and the rules look correct to me. I want all traffic on this wireless subnet to be allowed to cross over the firewall and NAT to the outside interface, just as the inside zone does.
View 1 Replies View RelatedPort forwarding done to a DMZ located server on the cisco ASA 5520. Now this host cannot browse but allowed outside to inside access is possible Is there anyway i can give this system to browse internet? may be through the natted IP ( 94.20.*.*)
View 2 Replies View RelatedWe have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
View 5 Replies View RelatedIf I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
View 2 Replies View RelatedCan threat detection provoke frequent disconnections on allowed traffic?We are using asa 5520 with 8.3.1 IOS For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
Our threat conf is as follow:
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
[code]....
I have recently setup Splunk to receive my syslog messages from my ASA 5510. In the past I used kiwi without observing this issue, but I needed more features than kiwi had available. Anyway, anytime I stop the splunk service my asa does not allow any outbound connections to be established.
View 2 Replies View RelatedI am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies View RelatedSo here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
We have an ASA 5520 and it's inside interface is currently plugged into a fast ethernet port on a 3750. I have just bought a 1gig SFP module and have copied the fast ethernet port config to the gigabit port, but the port seems to be flapping
The port conf gi is this:
interface GigabitEthernet1/0/4
description Link to Inside ASA
switchport access vlan 2
switchport trunk encapsulation dot1q
I have one server 172.16.0.100 and i nat this server to a public ip X.X.X.5 and i open RDP for this public ip.Now when i access Remote desktop on this public ip x.x.x.5 it open perfectly.Now my senario is that i want to open a http url on port 5555,server ADMIN open port 80 for this URL on LOCAL lan(http://172.16.0.100:80)So how can i map port 5555 to port 80 on ASA 5520.so when i hit URL [URL]
View 5 Replies View RelatedI have got ASA 5520. How to use the management port as a normal port on ASA. What are the basic reqirements for that.
View 3 Replies View Relatedi must translate port 80 from outside connection on port 85 in lan server? how can i configure the asa firewall rules for complete this task?
View 4 Replies View RelatedWith the Cisco ASA-5505, is there a more secure port that can be configured for VNC other than 5901? I am new to Firewalls We have a User who has requested that 5901 be opened but I was advised not to do so for security concerns.
View 5 Replies View RelatedVPN between datacentre & office ASA 5510 & HP routers site-to-site vpn, 192.168.1.0 и 172.16.0.0 networks If I ping internal routers' cisco address 192.168.1.1 from 172.16.0.0 network host (172.16.2.200) I get ping timeout At the same time I see the same messages in ASDM monitoring when successful ping reaches and comes back to 192.168.1.0 host (192.168.1.101 for example) Pings from 172.16.0.0 to 192.168.1.0 hosts are ok, only 192.168.1.1 is silent Looks like icmp echo reply is not allowed or smth like that, where to take a look?why monitoring looks ok instead of denied according to ACL...?
View 2 Replies View RelatedI have just deployed a 881 router at a clients site & configured it to allow remote IPSec VPN connections using the Cisco VPN Client software.
The router works fine except for the remote VPN connections.
Client VPN connections are not being allowed and I am sure the problem is the zone based firewall. I have had very little experience with this, most of my experience is with ACL based security.
I know this sounds a simple and easy question, but I can't find the answer anywhere - so here it is :-I need to know the maximum number of vpn tunnels that a Cisco 881 can handle.(In context, we have a group of users, who work from home and this office, so their laptops have the cisco vpn client, I need to know how many of these vpn connections the 881 can handle at once before it dies a death.)Hote - I have read somewhere a line that state maximum number of users is 20 but think this was in reference to some VOIP service.
View 2 Replies View RelatedI just moved into a university residence. Setting up a wireless connection is not allowed - instead we have one ethernet port on the wall. As a result, we can only have one computer connected to the internet at a time via this wired connection. The problem is, I live with my partner and we both need internet access for our separate computers. We both need to be online at the same time. What is the easiest and most simple way to accomplish this? I don't know much about hubs, routers, and switches. I imagine there should be some sort of basic splitting device I could plug into wall which would allow 2 computers to use the ethernet port.
View 1 Replies View RelatedI was at a site recently and tried to load a windows anyconnect package but got an error saying there was not enough memory on the system to do this. They already have a mac one but wanted windows for future use.
128 Flash
256 Mem
ASA Version 8.4(4)1
asa844-1-k8.bin
Users behind a Cisco 1841 are not able to connect to a network using the Cisco Systems VPN Client. Transport is IP sec over UDP (NAT/PAT). Connection just times out.
Which ports should be allowed in the access list? Or do you have an link to a article for this?
We have set of PC's who will be connecting either RA IPsec or SSL VPN to another location. On our site, our perimeter device is an ASA 5520 8.2(3). The interfaces on this ASA doesn't have Access Lists applied, so from what I understand, there is a default policy applied globally (class-default). Now my question is: If we set up vpn clients on our pc, are the ports used by the clients to the VPN server allowed by default or do we need to tweak the class-default?
View 6 Replies View RelatedWe have a ASA 5510 (v8.2.2 with ASDM 6..4.7, 256Mb mem) with a license for 250 VPN Peers. The machine has currently one site-to-site VPN active. I've added a remote-access IPSec VPN for some users but when connecting from the remote site the connection is dropped and the ASA reports %ASA-4-713239 Tunnel Rejected : The maximum tunnel count allowed has been reached.
I've searched for info relating to this message but I found none. Before I plan a restart (it's up for 222 days), is there something I could do on CLI to fix this ?
The address of my server, as a url, not the IP Address. I already have that, and how to find the number of connections allowed by my provider, which is clearwire.
View 8 Replies View RelatedI was using the household Ethernet cord this morning and it was working normally. Then I stopped using the Internet to do a program tidy up. - there were a few program's that had been extras to other program's I don't need. Then I went to use the Internet again and it wouldn't connect through the Ethernet cord. I was able to establish that my computer is still able to access the Internet through wireless (which we don't often use on account of it been spotty). Could I have done/deleted/turned off something that allows my computer to read Ethernet cords?
View 2 Replies View RelatedI use a DLink DIR-655 router but it only allows around 24 MAC addresses to be specified in the filter list of ALLOWED MAC ADDRs. With a few laptops in the family, a game box, NAS, printer, e-readers, smart phones, I'm maxed out. Alternatively, could I daisy chain them to have one handle wireless devices only and another handle wired devices? If so, I could probably dealt with 24 max wireless MAC addresses specified for a while. If there's a better router out there that's not so limited, I'll upgrade.
View 2 Replies View RelatedMy laptop is showing that it is connected to the wireless router, but whenever I click on the Internet icon, it will not allow me to connect to the internet.
View 1 Replies View Related