I have a ASA 5505 as a default gateway to a network, whenever I tracert to outside it shows every hop ip address as the ip address I'm trying to get too, quick example
lets say I'm in a 192.168.0.0/25 network but I want to trace to 10.10.10.10
I have the below configuration for a cisco asa 5505. There is a ADSL router in front of the ASA which has a static IP. I set up a remote-access VPN (using the wizard), but I cannot connect to the ASA firewall as the attached VPN client log shows. My only concern is that there might be something missing, ie a static route that goes to the inside interface. [code]
View 7 Replies View RelatedI Have asa 5520 with the code 8.0, the mem shows 94% and the CPU shows 85%
View 5 Replies View RelatedJust setting up and testing a Cisco 891-K9 router. Used CCP for basic setup, figure I'll tweak any settings needed later.For the firewall, I chose the default "medium" security setting in CCP, then added some holes (already setup in NAT) for outside access in.
Now on to the real question:I noticed that I am now unable to click through google search results. On any borwser. Clicking on any search result simply loops back around to the same google search page. If I disable Javascript on the browser, everything works as expected. So it appears that the firewall is preventing something in google's scripts from redirecting and "clicking through" to the final destination page.
I'm familiar with our old Pix firewall commands, but still a relative newcomer to the zone based firewall and commands for this new 891, (relevant Config pasted below) (Gi0 is the WAN interface)
!
!
multilink bundle-name authenticated
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
[code]....
I'm trying to block access to dropbox.com on our ASA5510. I have it setup and it blocks dropbox.com just fine. But it is also blocking google.com. I can't figure out why.
Here's my config. When it blocks google, it blocks it with the terminated by inspection engine, reason - disconnected, dropped packet.
regex Block_Dropbox ".dropbox.com"
access-list URL_Filtering extended permit tcp any any eq www
access-list URL_Filtering extended permit tcp any any eq https
[Code]......
I can't tracert or ping certain websites or servers for games.Before I go on, no I wasn't doing this because of DDoS-ing. I was doing this so that I could find an exact latency number for a gaming server. Now, to continue.What I mean is if I try to ping this server, the session will timeout no matter what the millisecond limit is (using CMD)
Ping: Pinging (IP Host Name) [IP] with 32 bytes of data
Request Timed Out
Request Timed Out
Request Timed Out
Request Timed Out
[code].....
Why does this happen? I am pretty sure this is a security tactic used to stop DDoS-ing, but why does it not matter how long I allow the tracert or ping to run? I really want to understand this so I can understand how people don't get traced as well as don't get DDoS-ed. I didn't put any of the IP's just to keep it anonymous. If you really need the host IP, I will supply it, but I will not supply the tracert IP's.
How can i enable this machine to be accessible throught PingTracert
View 1 Replies View RelatedI am currently using Time Warner Cable as my internet provider and I have been experiencing very slow internet connection speeds for the past few weeks. This has happened across multiple laptops and desktops both wireless and wired connections. I have done a ping and tracert test but am unable to read the results.
View 7 Replies View RelatedI'm working as a network engineer for a service provider, and we had just gone through a pretty large scale upgrade throughout our network and service.But not long after the upgrade (or maybe ever since the upgrade, we can't confirm this because we probably missed it out due to many other links to be tested), we met a peculiar problem.Everything seems to be running fine most of the time, but there has been some weird 'ghost-like' activity which have been causing inconsistent network disruptions. At times, certain portions of the network can't communicate with other subnets.And most obviously is the problem with a continuous ping and a traceroute simultaneously. Ping is usually normal, but until a traceroute is attempted, it times out at the same time as tracert fails to obtain the route.Besides, performing a ping from the 2nd closest hop address, 10.250.253.251, which is a cisco layer 3 switch also has problems, the results shown are as belowType escape sequence to abort[CODE]
View 1 Replies View RelatedI have a specific website that i cannot reach. I can reach all other websites without any problems.I have read this URL and followed the same instructions.I made the tracert and here is what i got.
View 5 Replies View RelatedThey time out however I can connect to google/ect on my browser.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:UsersHannah>ping www.riftgame.com
Pinging www.gslb.riftgame.com [208.94.26.135] with 32 bytes of data:
Request timed out.
Request timed out.
[code].....
I am working with a client who is adamant their backbone is fine. However, I am unable to get a single iperf connection to generate anything more than 9.5 megabit/s, and can go all the way up to 322 megabit/s with multiple streams before it looks like we are saturated. Note the example below for a single stream has a 1MByte window, with 8kb we were only able to see 2.4 mbits/sec per stream (as seen in the per stream in the example below). Where would you begin to look for why we cant seem to exceed 2.3mbit/s with an 8kb window, or 7.88 with a 1mbyte.
View 14 Replies View RelatedI have new ASA5520. After configured and upgrade with ASA 8.0(3) image its works for few times (few times means after restarted several times). But now the error comes as "Booting system, Please wait..."
View 9 Replies View RelatedI am trying to access a government jobs page to apply for an internship. When I access the page from my home network (using multiple browsers and multiple computers) I get a result that references the job opening from last year, and doesn't have an application button. When I access the site using my 3G connection on my phone, or when accessed from any other internet connection, I get the new page which includes information about the 2013 job opening, and has an application button. When I try to enter the URL for the application page on my home network, I get a 404 error. If I turn my wifi off on my phone and reload the same page, it resolves to the correct page.
View 17 Replies View RelatedI did a network test with Passmarks Performancetest. I'm running a 10/100 network with all devices connecting at 100Mb. On Performancetest there are 2 tests to run for Network speed, TCP and UDP. The TCP speed test came back with an average 62000kbps (7.5Mb), and the UDP was 89000kbps (10.8Mb). As I'm running a 100mb network, shouldn't the results of been higher?
View 3 Replies View RelatedI have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10
[Code].....
We use ASDM 6.2 to manage our Cisco ASA 5520 running ASA Software Version 8.2 (1). I just noticed that some static routes have "A-" when you view the static routes with ASDM e.g. A-172.24.0.0 or A-192.168.176.0 (pls see attached print screen). I haven't seen this before and dont know what it means.
View 4 Replies View RelatedThe Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
I'm using an Acer Aspire 5532 and just recently set up my own network with my Cisco WRT120N router. I used the installation disc and set up a WPA password, named my router, and my network. For the installation, it seemed I could not even start without physically linking the router to my laptop with the included rollover cable. I finished that, and ever since my wireless adapter has been disabled. Whenever I attempt to enable it, I get an error; my laptop shuts down and I'm presented with blue screen. The only way I've been able to get back to normal is to reboot in safe mode and than do a system restore.
View 3 Replies View RelatedI have 100mbps connection but when i took the test at speedtest.net it was so slow i don't understand whats bottle necking my system. When i download games off of steam it downloads its much faster then downing anything from my browser. I know its my network because when i went on steam and changed my download settings to cable and it was fixed.
View 9 Replies View Relatedi have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
View 2 Replies View RelatedI've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
View 32 Replies View RelatedInternet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2 -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3. Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
got a crahed 5520 this week and was showing <163>Nov 28 2011 11:34:45: %ASA-3-201013: Per-client connection limit exceeded -125/100 What the negative number tells ? i usually see same numbers like 100/100 with means the connection limited has reached.
View 3 Replies View RelatedOn our ASA 5510 we have two security contexts. After opening ASDM I can see and manage admin context, but cannot see second context. I can do changes to second context via CLI but as probably you know it's easier and quicker doing it via ASDM.
View 7 Replies View RelatedWhen we setup a connection between two hosts we receive the message "TCP checksum incorrect" , This is between a settop box on the outside and a server inside the firewall. This STB used to communicate with the server on port 443 which is NAT-en to port 12697.With a new settop box image which uses on the inside and outside port 12697 we receive this TCP checksum incorrect on the Firewall with wireshark.
Strange is that on the outside of the firewall we see an MSS of 1460 and on the inside it is 1380 (don't know if there is a relation with this and the issue we have)
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
[Code].....
Just did a dot11 radio link test on a point to multipoint 1400 series bridges. how to read the results of the test?
View 9 Replies View RelatedI was just checking my router's firewall log and I noticed a couple of entries which appear somewhat suspicious, amongst all the 'normal' background radiation of (mainly) Russian and Chinese IPs: [code] The source IP for these 'attacks' is/was unused on my internal network.
My router is a Billion BiPAC 7800N running 1.06e firmware. There are a number of devices permanently connected to the internal network and a number which are connected at other times (e.g. desktops, laptops, mobile/cell phones, games consoles). Some are wired, some are wireless. Some have static IPs (none of which are listed in the above 'attacks'), some have dynamic IPs (assigned by DHCP by the router in a range not listed above). The WiFi is secured with a strong key on WPA/WPA2-PSK, AES (no WPS). Web Access Control for the router is disabled. Block WAN PING (and Block WAN (IPv6) PING) are both enabled.
I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work?
View 6 Replies View RelatedWhy does the sx300 series only displays ping and traceroute results in 20ms intervals (see below)? The example in the CLI manual shows "regular" results. These 20ms intervals are not useful for troubleshooting. This is version 1.1.0.73 on an sf300-24. [code]
View 2 Replies View RelatedWe have a design of two 6509 running in a VSS with dual supervisor each having fthree 10/100/1000mb etherner modules. We have diagnosed a wierd problem that none of the switchports in module 1 and 2 on either switches are having layer2/layer 3 connectivity.
Tried everything from changing the cables to changing the end device but no luck with it.
Module results show pass and no errors in the logging.
Is it possible to use IP "aliases" on an ASA5505 to use as static NAT public IPs to private IPs? For example, I have int e0/0 connected to my ISP using a /30 subnet and I have my private LAN connected to e0/1 with a /24 subnet. At the moment I can use the one usable IP from the /30 to NAT to the private LAN. The ISP is also routing a /28 subnet to the one public IP of the ASA. I would like to use some of the /28 IPs for NAT also. Can it be as easy as just adding the NAT commands? I figure I would have to add that subnet to the ASA somehow, no? In other devices (including the SA520) they use a concept called IP aliases whereby you define what additional IPs the device can use in its NAT config. Does the ASA support aliases? Maybe I have to do something with VLANs?
View 2 Replies View Related