Cisco Firewall :: Unable To Allow Inbound ICMPv6 On ASA 5505 Version 9.1
Nov 22, 2012
I have upgraded an ASA 5505 to 9.0(1) as I would like to use ipv6 version of dhcprelay. That said, I am unable to obtain a global unicast address but the link-local address is able to communication with the ISP's gateway/DHCP provider which I hope will allow v6 dhcprelay provide internal clients with IP's from the ISP. Trouble is, unsolicated inbound ICMPv6 messages from the ISP's gateway are being dropped on the way into outside interface.
%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
[Code]...
View 4 Replies
ADVERTISEMENT
Oct 6, 2011
I configured an ASA 5505 a couple of weeks ago. Every thing is working properly except it sends irritating messages to the syslog server. Her is an example of the message:
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/252 flags PSH ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/2252 flags ACK on interface outside.
View 1 Replies
View Related
May 31, 2011
Last night I switched out our old Cisco pix 515 with a asa 5505. The config is the same and internet and outgoing mail is working but no mail is coming in. Below is a copy of my config. Why my inbound mail is not coming in.
smtp 192.168.51.248 (Barracuda email filter)pop3 192.168.50.11 (exchange server). Tried to telnet into the firewall but connection timed out. Went to mxtool box and that also timed out while trying to connect to smtp. Port scan from mxtool box timed out too on all ports.
[Code] ........
View 5 Replies
View Related
May 12, 2011
how to set up port forwarding for inbound SSH?
The outside interface on the ASA is on DHCP. I have a single dynamic public IP from my ISP. The inside interface provides Internet access for the network using NAT.
I have a server on the internal network with an IP of 192.168.0.6 and I would like to access this via SSH (TCP port 22) from outside.
I've been able to do this in the past on a PIX with a static public IP block, but I'm new to ASA and I don't know how to do it with PAT.
Current running config attached for what it's worth, but it's pretty basic at the moment.
View 3 Replies
View Related
Oct 16, 2012
I have been asked to open some ports in order for a CCTV company to connect to an internal CCTV server on our LAN.
We have a Pix running PIX Version 6.3(5) I am ok configuring an ASA for the above but not a Pix.
View 2 Replies
View Related
Mar 14, 2011
I need to fullfill the below configuration which is working fine on my actual D-Link Netdefend firewall.
We have a range of IP assign by our ISP : 194.250.47.128/29
194.250.47.129 is the firewall IP and 134 the isp gateway.
We have 4 interfaces
- The local user interface: lan =192.168.170.1/24
- The servers interface : dmz =192.168.171.1/24
- The database interface : oracle=192.168.169.1/24
[Code]...
View 7 Replies
View Related
Sep 23, 2012
What anyconnect version do I need on a 5505 so i can have people connect via iOS devices? Right now I have "anyconnect-macosx-i386-2.5.1025-k9.pkg" on there, will that work for iOS devices?
View 7 Replies
View Related
Mar 1, 2013
ASA 5505 Version 8.2 or older nat (inside) 1 10.0.0.0 255.255.255.0nat (INTF4) 1 10.0.4.0 255.255.255.0nat (INTF5) 1 10.0.5.0 255.255.255.0nat (INTF6) 1 10.0.6.0 255.255.255.0nat (INTF7) 1 10.0.7.0 255.255.255.0global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224global (outside) 1 interface
I believe this setup does the following. The inside interface and interfaces 4,5,6,and 7 will translate using this line....
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
and if the addresses run out is will start using the ouside interface IP address to translate, so traffic is not disrupted and is based on the line of configuration.....
global (outside) 1 interface
My question, does it do this because of the order of the configuration..
global (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224global (outside) 1 interface
or would it do it that way even if it was like this?
global (outside) 1 interfaceglobal (outside) 1 209.165.200.235-209.165.200.254 netmask 255.255.255.224
and if so why?Now let's convert the above configuration to ASA 5505 Version 8.3 or newer.
object network OUTSIDE-NAT-POOLrange 209.165.200.235 209.165.200.254object network INTERNAL-SEGMENTSsubnet 10.0.0.0 255.255.248.0nat (any,outside) dynamic OUTSIDE-NAT-POOL interface
My question is how does it know to use the outside interface as a backup when the OUTSIDE-NAT-POOL is depleted?Also why do I need to define the INTERNAL-SEGMENTS ? Doesn't the "any" in the (any,outside) take care of that?Also wouldn't the "any" in (any,outside) cover interface 3 or DMZ which could be an issue?
View 7 Replies
View Related
Jun 20, 2012
I have a ASA5505 and currently running Version 7.2(4). I was wondering what the latest version of the software would available to me would be.
Here's a show ver
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
View 1 Replies
View Related
Jan 20, 2013
I've have an ASA 5505 with a inside network vlan1 (192.168.0.0/24) - i've configured an IPsec VPN profile and a VPN network of 192.168.0.50/24. I can through my VPN tunnel access inside hosts on vlan1 - but not ASDM on the ASA (192.168.0.1). Under management i've added the VPN network of 192.168.50.0/24 to have access to ASDM, but still does not work.
View 1 Replies
View Related
Jan 24, 2012
I'm trying to configure UC-Proxy using an ASA 5505 with software version 8.0.4.I was following the instructions in DOC-5704 and ASA 8.0 CLI.I don't have USB security tokens in UC solution, instead I'm using IP phones Cisco 7961 with MIC.I configure all the items as the documentation says but when I restart the phone outside the Firewall, the 7961 don't registrate with the Call Manager.Checking the troubleshooting I found that it's possible certificates problems but I don't know if I need to do something in phones.
I would like to know if there is any consideration when the UC proxy works just with MIC.The outside phone is a Cisco 7961 configured with static IP address and TFTP address of Call Manager (static NAT in ASA).
View 6 Replies
View Related
Mar 20, 2012
I just upgraded my firewall to ASA 5505. Now, my original static ip address cofiguration is gone. Apperantly, Cisco went away from static ip address to something like nat (inside,outside) dynamic interface. how to create a static ip address under version 8.4? By the way, I am sharing what my configuration used to look before upgrading.
!
hostname cisco-asa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
[code].....
View 7 Replies
View Related
Feb 15, 2010
Showing Your firewall has a version number null which is not supported by ASDM 6.2(5). I received this error when trying to run asdm on my asa 5505. I upgraded image and asdm trying different versions. I used many different versions of java all to no avail.
View 4 Replies
View Related
Nov 20, 2011
I am now going to configure IPSec VPN connection for Cisco ASA 5505 (Version 8.4)
View 3 Replies
View Related
Aug 14, 2011
I recently upgraded Java to JRE version 1.7.0 and now when I try to login to the ASA 5510, I get the following message in the java console log.Exception in thread "AWT-EventQueue-0" java.lang.ClassCastException: sun.security.ssl.X509TrustManagerlmpl cannot be cast to com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager at com.sun.deploy.security,X509ExtendedDeployTrustManager.<init>(Unknown Source)
View 5 Replies
View Related
Feb 28, 2011
I am running ASR1002 with latest XE IOS version asr1000rp1-adventerprisek9.03.02.01.S.151-1.S1.bin configuration bellow
router bgp 65000 bgp router-id 1.1.1.1 bgp log-neighbor-changes timers bgp 5 15 ! address-family ipv4 vrf LABR01-VRF bgp router-id 1.1.1.1 neighbor bgprrclient peer-group neighbor bgprrclient remote-as 65001 neighbor bgprrclient password 7 1234 neighbor bgprrclient update-source Loopback0 neighbor bgprrclient version 4 neighbor bgprrclient route-reflector-client neighbor bgprrclient route-map set_weight in I then tried to create new route-map and get error that match next-hop can not be used on inbound
route-map set_weight permit 10 match ip next-hop prefix-list thirdparty match as-path 1 set weight 1000
LAB-ASR1002(config)#route-map set_weight permit 10LAB-ASR1002(config-route-map)# match ip next-hop prefix-list thirdparty% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match% "set_weight" used as BGP inbound route-map, nexthop match not supported% not supported match will behave as route-map with no match Not sure why Cisco is not supporting a pretty basic feature for BGP route maps.I tried looking into matching other variables but I am unable to get same result as I have same routes on bgp table from multible inbound peers.
I also get this message when configuring tacacs. I looked for "new" cli but no luck:LAB-ASR1002(config)#tacacs-server host 2.2.2.2 This cli will be deprecated soon. Use new server cli
View 1 Replies
View Related
Sep 9, 2011
I just tried to configure my ASA but unable to ping. My setup is as follows:
Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
[Code].....
View 30 Replies
View Related
Dec 27, 2011
First time attempting to set up a 5505. Trying to replace a snapgear firewall and replicate the settings to the 5505.
View 12 Replies
View Related
Sep 20, 2011
I have a command line from ASA 5505 like below :
nat (inside) 0 access-list NO_NAT
The problem is I cannot see any matching ID of 0 at the (outside) like :
nat (outside) 0 xxxxxxxxxxxxx
Another problem is there is also no any access list with the name of NO_NAT.
View 2 Replies
View Related
Dec 11, 2012
I am using ASA 5505.Below are my sh run.I am not able to ping my gatway i.e 182.73.131.89
interface Ethernet0/0
description Internet Interface
switchport access vlan 61
!
interface Ethernet0/1
description office Internet
switchport access vlan 50
[code]....
View 3 Replies
View Related
Sep 26, 2012
I have ASA 5505 and I save the configuration in the ASA 5505 using write memory or using copy run start but whe i unplug the power cord and plug it back in the ASA gets its factory default configuration.
View 8 Replies
View Related
Sep 27, 2012
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
View 4 Replies
View Related
Apr 5, 2013
I have setup 5505 ASA for Testing purposes. It has static route to layer 3 switch on outside interface that goes to the internet.
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
[Code].....
View 20 Replies
View Related
Feb 13, 2012
We have a cisco asa 5505 on which we have setup a group VPN. The VPN connections from all cisco vpn clients works fine except one. The keep getting the below error
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. Connection Terminated".
Not sure why only one client won't be able to connect. The version we are using is 5.0.02 for VPN client.
View 10 Replies
View Related
Oct 31, 2011
I am unable to Telnet/SSH/RDP from my inside network to my DMZ. I am not sure where the problem lies, I am able to use VNC from the inside to the DMZ (ports 5800, 5900), and also establish connection on Ports (26700-26899). I have a computer connected directly to the DMZ and those services work to all networks on the DMZ.I have attached Logs of successful VNC connections, unsuccessful RDP and Telnet sessions, and the running config.
View 23 Replies
View Related
Aug 12, 2012
I configured a new Asa 5505 with Ios 8.44-1-k8.bin and when I installed the Asa the client's after about 1 hour were unable to ping or map drives to the Asa. I got the following error,%ASA-2-106007: Deny inbound UDP from XXXX to XXXX due to DNS Query. I added the command same-security-traffic permit intra-interface they were then able to ping the server and connect to the Internet, but still unable to map drives i could see the connections from the Pc's to the server in a show conn with was tcp port 445 with Saa? I reverted back to Ios 8.25 and everything works.
View 2 Replies
View Related
May 23, 2011
When I have a computer directly connected to the Cable Modem I get 9.84MB Down and 1MB Up. When I put it behind the ASA 5505 with policing on the interface, I only get 4MB Down and 660Kb Down.What I'm wanting to do is setup this up to enable my VoIP to have a higher priority and shave 128kon both the Up/Down for the VoIP traffic. I also want to make sure I don't exceed the inbound and outbound thresholds.I''m using a 5505 Security Plus?
View 3 Replies
View Related
Mar 26, 2012
I have 2 subnets bought from my provider 194.102.98.128/27 and 194.102.98.160/27.
From my provider a have the following setup:
IP Address: 86.120.151.66
Netmask: 255.255.255.128
Gateway: 86.120.151.1
DNS (1): 213.154.124.1
DNS (2): 193.231.252.1
My IPs are static routed by my provider thought 86.120.151.66 .
On the firewall I have the following set-up:
Outside Interface: 86.120.151.66/25 security level 0
DMZ interface: 194.102.98.129/27 security level 50
Inside Interface: 194.102.98.161/27 security level 100
0.0.0.0 0.0.0.0 [1/0] via 86.120.151.1, outside
Everything works perfectly except when I try to sent an email. The email gets sent (eventually), but afert a long waiting time, 45-60 sec. The connection is opened instally to the server but then just hangs there for 40-50 sec. The problem is that a have an aplication on a server that has to send confirmation emails, and that aplication is limited to a 30 sec timeout for conecting to the mail server, much less then the 45-60 sec that I have now. The mail server is hosted by a data center, it is not in my networks (location).
I have tried deleting the ESMTP inspection, that doesn't work. Pinging my mail server rezults in a average time of 20 ms. And when a do a tracert the hight value in a hop doesn't usually pass 80 ms, the average is 20-25 ms.
The problem is ONLY when sending emails. Everything else works perfect, including receiving emails from the same server.
My running config is:
hostname ASA-Adisys
domain-name Intern.ro
enable password 0./39zRW9yhKK/bO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
View 3 Replies
View Related
Jan 9, 2013
Remote LAN pool is configured as inside. Route is proper. I am able to open 443 port from the remote LAN pool on the ASA. That means, the port is open from the remote pool. No response if I try https on the browser.
View 11 Replies
View Related
Jun 28, 2011
I found a tricky task for our ASA 5505 firewall. I am not able to go internet when using DHCP but I can access by using fixed IP address in client PC.Same IP, Same Mask, Same DNS, Same Gateway. All the same but no hope. Any configuration i missed in firewall?
View 5 Replies
View Related
Mar 8, 2011
I'm unable to have any internet connection for my new setup.
here's the overview.
Current setup is
Internet -> Router -> PIX 501 -> Switch -> clients
Internet -> static ip given is 210.193.34.1 - 210.193.34.6
Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246
PIX 501 setting ->
IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as I'm unable to access it.
local ip is 192.168.1.1
Clients - > 192.168.1.0
Old setup is working fine and connected to internet. for the new setup, as i do not want any downtime for the old setup.
As you can see, there are two firewalls connected concurrently to the router. I've configured it this way.
Internet -> Router -> ASA 5505 -> Switch -> clients
ASA 5505 setting ->
IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?),
local ip/ Inside Interface is 192.168.2.1
Clients - > 192.168.2.0
some setup details.
security policy, NAT, set to default. routing is route outside 0.0.0.0 0.0.0.0 210193.34.6
I'm unable to access after a week of troubleshooting.
View 7 Replies
View Related
Apr 3, 2012
provide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies
View Related
Oct 26, 2012
I have ASA 5505 with base license. I created 3rd vlan on it.it was created. but i am unable to assign IP to it. i assign ip address it takes it. But when i do sh int ip brief it does not show any ip.
Code...
View 7 Replies
View Related