Cisco Firewall :: Source Routing Work Around Needed With ASA5515
Jun 10, 2013
I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
i have a strange problem in my campus network.im trying to run port security on my access switches which they are 3550 with ios c3550-ipservicesk9-mz.122-52.SE when i run the port security with Sticky option, even i put 1000 mac address for just learning on the port but when i issue the switchport port-security command every pc connected to that port loses its connection with network UNTIL i enable dhcp snooping!!! all my client are getting they ip address from DHCP server but strange thing is that how on earth i have to enable DHCP snooping to port security work properly? also when i check the configuration under the interface when dhcp snooping is not yet enabled switch doesnt add any mac address under the interface so no one can work until i enable snooping and then switch adds mac addresses under the interface configuration.is this Bug on this version of IOS?[code]
I have recently procured ASA5515-IPS-K9 for my own R & D. In that device I want to achive following milestone: Perform static routing , relay DHCP, cache flowEnable IPS with auto updateQoS for Voice and WAN traffic Protect regional Campus/LAN, WAN, regional Servers from regional Campus/LAN, WAN and InternetAllow traffic from well-known and given portsSNAT for the regional servers with given portsACL for ssh only from admin PC with TACACAS rightMaintain SNMP with Cacti, Nagois, LMS, TACACASAll LNS servers to be added as name serversMaintain time with ntp.xxx.yyy.bd.
Could I get a validation that this config is correct in that it allows inbound access to the web server and that I should be able to ping it from my inside interface.
I tried to use the example code from Cisco DocID: 115904 for DMZ WebServer, but I found the object NAT parts did not work with my 8.6 IOS so I modified them as shown in my config.Example from 115904 doc.
!!!! object network WebServerPublic host 24.25.26.80 object network WebServerPrivate host 192.168.1.80 nat(dmz,outside) static WebServerPublic service tcp www www ---> this does not code !!!!
With the below code I do not get a ping reply sourcing from a 10.1.0.X host to 192.168.1.80 web server.And I cannot browse in from the outside to it either.I do see the MAC for 192.168.1.80 in the ASA's arp cache for the dmz interface.The web server is on a VMware ESX environment and I'm not sure it is set up correctly.
! ASA Version 8.6(1)2 ! hostname A5515 ! interface GigabitEthernet0/0
I was purchase ASA5515-K9 (Without IPS Edition) firewall and this is run smoothly our network. But right now i want to IPS facilities. Can i have any licnese purchase and upgrade from ASA5515-K9 to ASA5515-IPS-K9 abd use IPS edition ?
After pulling a brand new ASA5515 out of the box this morning, I spent countless hours scratching my head wondering why:
1. I cannot establish an HTTPS connection to the Management port - https://192.168.1.1/admin
2. When connecting via the console port I get prompted with a username and password sequence that I don't know
I get an SSL Version Error message when I try to connect with any browser. although I did find a way to resolve it, it requires a console port connection which is not working either.This is not my typical experience with the console or ASDM port setup.
I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?
I have a spare ASA5505 w/Base License that we want to use as the router/firewall between our wi-fi network and our secondary internet connection. Currently we have a NetGear box as the router there and it is on its last legs. In order for the ASA w/Base license to be able to issue over 150 IP address via DHCP which license do I need to purchase for it.
The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
I have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
We have deployed a few ASA 5585 SSP40 in our data centers to seperate different customer/security zones connected with 10Gig interfaces. Currently we have a dedicated log server attached to each ASA connected with a p2p 10Gig interface. While detailed log information is considered important I somehow have the gut feeling all this high end equipment and bandwidth is used a little too wasteful. I have little experience with these big firewalls and I have not yet seen the equipment in an attack situation, however I doubt a firewall could ever generate 10gig of log data, while doing the primary fire walling job at the same time. Looking at the typical packet size of a syslog message I don't even believe a 1 gig link could ever be saturated with pure syslog messages.
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
Suppose I have a 3 member stack of 3750x switches. Members a, b and c.I have all 3 members stacked with all 3 *data* stacking cables in a daisy-chain topology. The 50 cm data stacking cable from switch a (on the very top) to switch c (on the very bottom) just barely reached.Of course, that means the 30 cm *power* stacking cable didn't reach between a & c. Right now, the power stacking cable goes from a to b, and then another cable from b to c. Leaving me with a useless extra 30 cm power stacking cable.
My question is, can switch "a" receive power from switch "c" through switch "b"? Is this just a big electrical "bus"? What if the power supply in switch "b" is removed?Just wondering if there is a need for me to get a longer power stacking cable (one of the 150 cm power stacking cables).
Our sister site had a new building and the network it was supposed to resemble the network on this site with link redundancy as far as the edge switches.After 6 months asking for the password to the equipment I finaly got it and started to plan the deployment of some phones, I got a little confused as to the layout of what had been done as CDP was not showing what I had expected.
I then used CNA to map out the site.We have 1 main server room (at the top of the picture with the two 4507 cores and a number of fixed config 1U switches)And 3 further wiring rooms at other points in the building with fixed config 1U switches.
(And a wan link to this site)In my opinion the design as it stands is significantly flawed in redundacny with multiple points of failure, and its efficiency is very poor.
One of my clients is using Cisco catalyst 2955 industrial switch.I am doing the configuration for them and come across one setting of FCS Error Hysterasis Threshold. I know FCS is Frame Check Sequence.
I do not understand is what is the meaning the setting of Hysteresis in term of percentage stand for what purpose?For example, the default is 10 percent. If I set the value to be lower 5% and what is the impact on that? Is this more stringent than default of 10% or less stringent than default of 10%?
I was testing on 802.1x function on Catalyst 2950. the funtion itself work fine with my radius. but after I have setup the aaa new-model, I have no access to my switch!everytime I telnet it prompt me username, but I didn't create any user!!
how to recover to the origianl status, just prompt to input password but not username needed, and with 802.1x enable ofcause. [code]
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54 2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address 3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
Does ASA 8.4.3 check the source IP address of a DNS reply and drop it if the reply address is different to that in the query?
Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.
Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.
I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall. The traffic flow will be Partner A company users will be accessing my company's Citrix server. I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server. The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25. So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements. I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form. What I do need is NAT portion of the configuration.
{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's} 10.100.12.103 68.108.244.25
My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:
global (inside) 9 interface nat (outside) 9 access-list PartnerA_source_nat
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
I am running a Cisco ASA 5550 in active/standby mode. We are currently running ASA OS v8.2(3)5. I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface. Does the ASA have a feature/ACL syntax that supports this?
The Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
I have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
I've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22 Inside Interface IP: 10.104.36.4 Mask:255.255.255.0 DMZ IP: 10.100.20.1 Mask:255.255.255.0 SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable logging list email-alerts message 106100 logging mail email-alerts logging from-address ASA@xyz.com logging recipient-address tgw@xyz.com level debugging
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
i have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?