Cisco Firewall :: Setup ASA 5505 Access Or NAT Rules To Inside Server / IP Cam
Oct 25, 2012
I'm having trouble setting up the correct rules on an ASA 5505 I'm using in my home office. I have a couple of IP Cams I need to access remotely.
I've tried setting up simple NAT(PAT) and/or Access Rules, but it hasn't worked. I have a single dynamic IP for the Outside interface. Call it 77.76.88.10 and I am using PAT. The CAM is setup to connect on port 80, but could be configured if necessary. I've tried setting up NAT Rules using ASDM as follows:
Match Criteria: Original Packet
Source Intf = outside
Dest Intf = inside
[Code]....
I'm afraid to use CLI only because I am not confident I'll know how to remove changes if I make a mistake.
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
We've just started with the ASA 5505. We do run a DHCP server on the inside interface, so it is in the same VLAN 1 as all of the clients. However, we cannot get it to work.We can't use DHCP Relay, as the ASA 5505 only allows to relay to DHCP servers in a different subnet.Or do we have to move the DHCP server to a different subnet. If so, how would we configure that scenario?
Setup firewall rules that will block all inbound Internet access to the web server except port 443, Setup firewall rules that will block all communication between the two internal networks, except ports 7000 and 1702
We have an ASA5505 UL bundel, updated with this license "L-ASA5505-SEC-PL=" to enable traffic from DMZ to Inside. No NAT or rules deployed for that yet.
On the Inside we have Exchange 2007 in a single server installation. The public url for smtp, ActiveSync, OWA and Outlook Anywhere is mail.company.se. There is a static NAT for outside traffic to access above mentioned services on inside. Now, on DMZ there is the WLAN for guests to access the Internet. How ever, our Smart Phones with WLAN turned on, cannot sync to the Exchange Server on the Inside! The DMZ gets IP-addressen from ASA on DMZ Interface with external DNS configured. How can I configure the ASA to achieve the function of ActiveSync from DMZ to Inside with the public URL from the phones?
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
My users on 571 need to access a web server on the 469 interface. However, the requirements are that the 571 users can only access the Website using the public FQDN which there is a static NAT from outside to 469. [code] Here is also the Packet-Tracer and it shows what I expect that the traffic is source from 571 and exits 469. However, the users are not able to access the website.[code]
Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
Configuring an asa 5505 with 8.42 software.I need to access an https server on the inside via the outside interface. have moved the http server enable to port 10443.Tried to make a "network object nat rule"
My internal network consists of Catalyst 3750 switches segmented into different VLANs. There is a default route on the layer 3 Catalyst switch sending all unknown traffice to the inside Internet of the ASA 5510. However, I'd like to have a separate VLAN for wifi guest access and send all of that traffic through one of the DMZ interfaces on the ASA 5510. I don't think you can have separate default routes based on VLANs on the 3750 switches so my only option is to make the ip address of the DMZ port the default gateway for all hosts on the wifi guest VLAN.
The problem I have is that I have a couple servers behind the inside interface that have services available to the public Internet via a NAT address on the outside interface. I want the guests on the wifi VLAN to have the ability to access the servers on the inside interface using the public address as well, but have not been able to come up with a solution yet.
Here is my config that pertains to this setup:
interface Ethernet0/0description Outside Interfacenameif Outsidesecurity-level 0ip address 76.47.10.x 255.255.255.224 rip send version 1rip receive version 1!interface Ethernet0/1description Inside Interfacenameif Insidesecurity-level 100ip address 192.168.17.1 255.255.255.0 rip send version 1rip receive version 1!interface Ethernet0/3description Wifi Guest Accessnameif DMZ2security-level 50ip address 192.168.60.1 255.255.255.0
I have assigned a task to configure a vpn between windows 2008 server and cisco asa 5505, what kind of vpn should i go with as the windows 2008 server r2 is on cloud and is it possible to configure site-to-site vpn for this network senario or not.. i have try ikev1/ipsec remote access vpn with l2tp with (CHAP, MS-CHAP v2) and couldn't find any document which will allow me to configure windows 2008 server to behave a client and connect it to asa, well what i did is that i configured a dail-up connnect with l2tp and found the following debug message
Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, Oakley proposal is acceptable Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.
Here is my environment: DSL Modem - ASA 5505 - switch ,Inside network (192.168.2.0/24)
What I have successfully done: - Modem online and passing on DHCP requests from the ASA to my ISP (ASA does get an internet address on the outside interface) - ASA assigning DHCP to internal network - All internal clients can access the internet.
What I am getting stuck on is getting NAT rules set up for simple port forwarding. What I would like: ANY internet address be able to access a server on the inside network address (192.168.2.x) over tcp/22 . I set up what I believe to be the correct NAT rule and Access Rule, but the packet tracer fails. Here is my config.
We have a Cisco ASA 5505. As of yesterday we could no longer access our web server (the web server is hosted off-site). Pinging the DNS address and direct IP (from the firewall and a PC) both return no response. Pinging the IP from the T1 router responds properly, meaning the router can access the web server, but the firewall cannot. Accessing the web server has never been a problem, and no configuration changes have been made to the network/firewall. Other locations can access the web server just fine.
I would like to allow users from network 10.132.23.0/24, 10.132.33.0/24, 10.132.24.0/24 access to our SQL server(192.168.1.7) located on the inside interface(192.168.1.0/24 network) Those networks (10.132.0.0/16) come from the DMZ interface.
I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error: 5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 10.10.1.7 255.255.255.0!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 10.10.1.1object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_net_Insidesubnet 192.168.1.0 255.255.255.0object network Outside_globalhost 10.10.1.6access-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside) [code]
I tried the solution posted at [URL] however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
I need configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.I have attempted to configure rdp access but it does not seem to be working for me. How to modify my current configuration to allow this? I need to allow the following IP addresses to have RDP access to my server: [code] The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. My configuration file and what are the commands i need in order to put this through. Also, if there are any bad/conflicting entries. Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course.Also the bolded lines are the modifications I made but that arent working. [code]
I would like to allow remote access to a windows server through a ASA (5505) firewall. Users will use the vpn connection in order to connect to a private network. Is there any link that describes the steps for ASDM?
I just purchased a domain name, that I have forwarding to my WAN address. I want to be able to access my home websie via this route. I have an ASA 5505, how do I get the ASA to point to the home server when the WAN IP address is entered?
When I start a VPN-session my server looses internet access. The server is host for a few virtual machines and they have internet access.using 5505 and asa is version 8.4(2). [code]
I have a Cisco ASA 5505 in my home office which has a few PCs behind it with a linux web server running some websites. I can access the websites from outside no problem (i.e. on my iPhone using a 3G connection). However, I struggle to access the websites from within the network. The ASA gives me this error: [code]
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
I'm having problems getting AnyConnect clients to reach a server (192.168.139.3) on the Inside interface of my ASA 5505. Ideally, this would be accessible from the DfltAccessPolicy or another dedicated policy, but right now I'm happy with any access. Everything else seems to be working as expected. I've rebuilt this config a number of times without success. I can ping the IP from the ASA itself.
I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 8.8.8.8 and 4.2.2.2 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 8.8.8.8 and 4.2.2.2 in ipconfig. I can ping/tracert 8.8.8.8/ 4.2. 2.2/74.125.137.147(what url... resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to url.... [code]
We recently purchases the Cisco ASA 5505 to get familiar with it, possibly buying more appliances for our branch offices. However, since the appliance is installed, our SIP telephones no longer register with our SIP service provider.
The SIP phones are all on 10.0.1.0/24 while the SIP provider is external via the outside network. I copied our configuration below. how to enable SIP for all 10.0.1.0/24 hosts and ports 5060, 5160, 5260, 5360?
gcxfw# show running-config : Saved : ASA Version 8.4(3)
I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?
I have 2 ASA and would like to build a Side-to-Side VPN between these ASA. So I can learn something about configure a ASA for different thinks. But now I don`t can Ping from a Client to the Internet-Router.My Configuration is:
I have a ASA 5505 Sec Plus. I would like to allow outside hosts to our mail server and also our FTP server. So i would like to allow only SMTP, HTTP (for Outlook Web Access) and FTP.
