I would like to know if I can reset the TTL value for all IP packets to 64 as they exit my network through an ASA5505 to the outside network. Can this be done on a 5505?
View 1 RepliesWe have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?
How to best troubleshoot some errors I'm seeing on the internal interfaces of my ASA 5505. This is similar to the question at [URL], but the details are different enough that I felt it justified a new discussion.
I have an ASA 5505, running version 8.2(2), 256MB RAM. From time to time (on the order of once a week) our monitoring alerts us that both Internal-Data0/0 and Internal-Data0/1 are experiencing an unusual amount of inbound packets which were discarded with errors, up to 2.3 per second as of this post. Here is what I hope relevant output from my device:
asa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 10.x.x.x YES CONFIG up up
Vlan2 32.32.32.32 YES CONFIG up up
[code]....
1. My understanding is that Internal-Data0/0 is an internal bus that connects to modules like the 4GE. I don't have any modules installed at all, as you can tell. Therefore, what is this bus doing?
2. For that matter, what is Internal-Data0/1 doing? What does it connect to?
3. I'm guessing that due to the input errors and overruns reported for both of these interfaces, it's a buffering issue. Since these are input errors, does this mean that traffic destined to this bus for forwarding is being dropped because the bus itself is running out of buffer memory? How would I see (and subsequently monitor) the buffer memory for these interfaces? Once I am able to see it, what sort of tools can I use to determine what is causing this?
i have a new 5505 and i have done a few configurations on it. When i try to reset it to the factory settings via asdm i get an error saying it could not be done. I have used config-factory-default using the cli option available in the asdm. I am using asa 8.2 and asdm 6.2. Will erasing the flash reset to factory defaults.
View 4 Replies View RelatedWhy when I try to reset Cisco ASA 5505 by pressing the button behind the hardware nothing happen? Just via software I can reset it?
I bought the hardware an year ago and I've never used, the problem that I don't have the blue cable and via software connecting to PC doesn't work.
I have an issue with input errors, overruns, and input reset drops on the inside interface of an 5580-40 (v8.2.5: Transparent mode) The box is not stressed at all according to the 'show' commands in the Cisco troubleshooting performance document for PIX/ASA v8.2.5. Nothing stands out because is pretty much normal, nothing (processes, RAM, blocks, IO...) really being highly utilized. I have replaced the 10Gig card and that seemed to work because the rate of errors has gone down tremedously. The next step is to RMA the whole box.My question is what would be the cause of the inside interface to stop processing traffic (I say that because the syslog server stops receiving messages) for some periods of 30 seconds periodically throughout the day and clients lose their connections (ie Outlook, IBM Sametime, Oracle, MSSQL..etc). Can the issue be somewhere related to the overruns and input errors?
View 2 Replies View RelatedI completed the PIX 515 to ASA 5505 migration today with no problems - ok one problem with the logon for ASDM. I'm trying no username and password - then using username and password from the 515 Pix with no success. How to reset the username and password for the ASDM GUI website.
View 3 Replies View RelatedI have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View RelatedI have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
View 4 Replies View RelatedI want to creat sub int on ASA 5505 but when I am trying below command it show error.
------------------------------------
config t
int f0/0.3400
------------------------------------
My ASA software version is 8.2(5).
Can we make sub interface on Cisco ASA 5505 model and if its possible then do that interface need to be upgraded into Trunk Port.
View 8 Replies View RelatedI setup a site-to-site VPN tunnel at the remote ASA5505. I am able to asdm to the outside interface but not ssh. I switch to telnet and still not allow me to access. I added an ACL to allow telnet any to the outside interface but still not working. In ASDM I see the log Here is the second issue. When I want to change the telnet back to ssh using ASDM I got the following error.
View 2 Replies View RelatedI have a problem where my outside interface stops passing traffic and the only way to resolve the issue is to reload the ASA, the interface never is down it just stops passing traffic. The inside interface never stops allowing traffic to pass as I can get to all my internal servers and shared drives.
The firmware is:
asa821-k8.bin
Running Config
: Saved:ASA Version 8.2(1) !hostname f1domain-name somedomain.co.ukenable password w1Y.GBKFyC5NqO3M encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
I'm using asa 5505 with 8.4(2) and have the following problem.I have 2 Networks. each Network has it's own externel Internet-Ip and also Mail-Server.
[code]
Now I want a communication between the two Mailservers with their external Ip-Address.I did a static NAT from ipnt any to int any or also from int routed to int routed, but nothing worked.Packet tracer showed at NAT-Lookup where the externel adress of the second Mailserver is passed: Info Static translate Network1 to Network1
But it should show a translation from network1 to network1-external.Due to Security reasons, I cannot paste the whole config.Under 8.0 I did the same configuration with Policy-Nat and it worked.
I have setup ASA 5505 with 2 ISP, named outside (primary) and backup, the scenario is if outside down, then backup will take over, it works now. But it is not working when the primary connection cannot reach the gateway with the interface still up.
Is it possible when the primary connection cannot reach the gateway then backup automatically take over?
My configuration is:
ASA Version 8.2(1)
!
hostname cisco
[Code].....
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network I have looked for ASA documentation through the internet and still got nothing.
the config are:
: Saved
:
ASA Version 8.2(1)
!
[Code].....
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
View 1 Replies View RelatedI am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief
Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
I am trying to configure two ASA-5505 as a failover pair. Software 8.2.5 and ASDM 6.4.5.206 Using the wizard i get to step3 .. then nothing happens. Trying direct in asdm but the only interface i can choose is "--None Unnamed-"
View 1 Replies View RelatedI have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
[code]....
I enabled snmp config ASA 5505 with Version 7.2(4), the NMS/reporting system can give graphs for CPU & Memory usages. But I can't see any elements about physical interfaces.
View 1 Replies View RelatedI would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network) Those networks (10.132.0.0/16) come from the DMZ interface.
View 12 Replies View RelatedWe have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
here is output from our sys log:
SyslogID Source IP Dest IP Description
305006 172.18.22.3 portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
To give some clarification:
172.18.22.3 is one of our DNS servers
172.18.22.156 is a device we're experimenting with.
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
: Saved
:
ASA Version 7.2(3)
!
hostname [redacted]
[code].....
Trying to add inside routes on an ASA 5505 to point traffic to another gateway for other connected networks is resulting in the following error 6Sep 16200 819:13:5810601510.184.236.1265003810.170.54.1823389Deny TCP (no connection) from 10.184.236.126/50038 to 10.170.54.182/3389 flags RST on interface insideI believe the problem is due to the Asymetric tcp connection and the ASA is dropping the connection because it only see one half of the traffic.Is there a way we can stop the firewall dropping the TCP connections on the inside interface? i've tried removing the threat managment which didnt work.Annoying thing is were putting the ASA 5505's in to replace old Watchguard soho firewalls only the watchguards forwarded the traffic no problem at all.
View 1 Replies View RelatedIf I am using an ASA5505, and I have a configuration similar to below, I see that the untrusted interface is only allowed to ftp to 192.168.1.5. Since the trusted interface is not limited to ftp only can it basically run any protocol it wants to 10.20.30.2, or does it get limited to only ftp by the other ACL on returning packets.Also, is the ACL applied to the interface because the ACL's name is the name of the interface?
View 2 Replies View RelatedI have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
View 2 Replies View RelatedI have ASA 5505 with base license. I created 3rd vlan on it.it was created. but i am unable to assign IP to it. i assign ip address it takes it. But when i do sh int ip brief it does not show any ip.
Code...
I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections. I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.
View 5 Replies View RelatedI am used to setting up access-lists on outside interfaces with ip addresses that are static. I have recently been given a site that is using a dyndns.org client for name to ip address resolution on an outside interface that is dhcp assigned. I created an access-list to open up ports 41794 and 41795 to an engineering application but everytime I try to connect from the outside I get a syn timeout. The application works when inside the lan. Basically I want to allow outside connections from anywhere on the outside to go to ports 41794 and 41795. I am running a Cisco ASA 5505 on version 7.2(4) Below is my conifg. what I may have misconfigured?
: Saved:ASA Version 7.2(4)!names!interface Vlan1 nameif inside security-level 100 ip address 172.31.2.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address dhcp setroute!interface Ethernet0/0 switchport access vlan 2!interface
[Code].....
I have ASA 5505, in routed mode, basic license.I run a web server in DMZ. I can reach Internet from DMZ. Also, the trafic from outside can reach the web server. However, if the web site is requested from within the DMZ, the request will fail, and the firewall log contains the following message:
Failed to locate egress interface for TCP from DMZ50: 30.30.30.10/49213 to 170.70.30.114/80
I don't have DNS, so the request must go to Internet, even the web site is hosted on the server in DMZ.
Here is sample of my config file:
interface Vlan1
nameif inside
security-level 100
ip address 162.160.1.3 255.255.255.0
!
interface Vlan2
[code]....
What can be the reason for requests, originated in DMZ, to fail, and how could it be fixed?
I'm trying to activate the DMZ interface on a restricted license ASA 5505 but I get an error when I try to ADD the interface. The message says "With the current license device will only supports 2 fully functional interfaces. Third interface can be added,but the traffic from this interface to another interface need to be blocked. Please make appropriate selection in advanced tab." I gather that I have to define the limitation myself? The problem is that I can't access the advanced tab because of the error. Can I do something via CLI to get through? I'm using ASA 8.2 and ASDM 6.2.
View 4 Replies View RelatedI am having a problem configuring my ASA 5505 for NAT.
View 3 Replies View Related