Cisco Firewall :: Unused Rules Tracking In PIX 535?

Nov 14, 2011

I have PIX 535 and using ACLs for allowing traffic. I need to clean up the rule base. I would like to know how to fetch a report of Unused rules for long time?Also when a traffic is being allowed, I want to know through which rule number its being allowed?

View 2 Replies


Cisco Firewall :: ASA 5540 - Identify Unused / Idle And Inactive Rules

Jul 22, 2012

I have a pair of ASA 5540 running 8.4 code. The firewall set has about 4500 rules. I am tasked to identify all unused/idel/inactive rules in the past 3 months.

View 2 Replies View Related

7800N Router Firewall Log Shows Attacks From Unused Internal IPs

Feb 23, 2012

I was just checking my router's firewall log and I noticed a couple of entries which appear somewhat suspicious, amongst all the 'normal' background radiation of (mainly) Russian and Chinese IPs: [code] The source IP for these 'attacks' is/was unused on my internal network.

My router is a Billion BiPAC 7800N running 1.06e firmware. There are a number of devices permanently connected to the internal network and a number which are connected at other times (e.g. desktops, laptops, mobile/cell phones, games consoles). Some are wired, some are wireless. Some have static IPs (none of which are listed in the above 'attacks'), some have dynamic IPs (assigned by DHCP by the router in a range not listed above). The WiFi is secured with a strong key on WPA/WPA2-PSK, AES (no WPS). Web Access Control for the router is disabled. Block WAN PING (and Block WAN (IPv6) PING) are both enabled.

View 2 Replies View Related

Cisco Firewall :: 837 Hardening Access And Firewall Rules

Mar 21, 2012

i have a cisco 837.I need hardening the access and firewall rules. I dont understand ip inspect.

View 1 Replies View Related

Cisco Firewall :: 2921 Firewall Allow Rules Being Dropped

Jul 5, 2012

I am configuring a 2921 with enhanced security using the CCP.  I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting.  It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine.  I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt => with ip ident 0
(where is the external laptop and is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action?  Is there something I can do to make sure "allow" traffic actually gets through?

View 1 Replies View Related

Cisco Firewall :: VPNs And Firewall Rules With PIX 515

Mar 25, 2011

I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall.  However, when I test the VPN from outside the company, I find I can get to whatever server I want to.  There is no allow any/any.  I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
The only thing I could think of is that we are using the account management in the firewall to authenticate the users.  I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.

View 3 Replies View Related

Cisco Switching/Routing :: 5520 Tracking The Link 1 For Asa Firewall

May 6, 2013

I want to use 4506 to track link 1 so that if it fail the traffic will use link 2 to go to ASA firewall. Switch_1 and Switch_2 is configured to use VRRP where Switch_1 is the primary.Current configuration (which im not sure about it):Switch_1track 1 interface gigabitethernet2/3 line protocol.

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Static Route Tracking

May 15, 2013

I am trying to set up my ASA5510 the fail over of ISP when it can't ping three different IP. I create three different tracking to three different IP using sla monitor & track rtr. But when I do

   route isp2  0 0  yy.yy.yy.yy  50
   route isp1  0 0  xx.xx.xx.xx  31  track 1
   route isp1  0 0  xx.xx.xx.xx  32  track 2
   route isp1  0 0  xx.xx.xx.xx  33  track 3

the last route will replace the previous two and only the last route command takes effect.Is there anyway I can set up the fail over to ISP2 only when it can't ping three different IP from ISP1?

View 1 Replies View Related

Cisco Firewall :: One To Many NAT Rules To Same DMZ IP ASA 8.2

Dec 5, 2011

Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work.  I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
Outside --------> DMZ>>>

View 16 Replies View Related

Cisco Firewall :: ASA 8.4.(1) NAT Rules Ignored

Jun 24, 2011

I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
this is the relevant config:
interface Port-channel2.4
description Public TESA ADSL internet connection
vlan 7


View 7 Replies View Related

Cisco :: Command To List Firewall Rules?

May 17, 2012

Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.

View 17 Replies View Related

Cisco Routers :: RV120W - Firewall Rules

Jul 5, 2012

I have a problem with firewall rules. If I set some rules for open communication and some for closed, so I cannot reorder from the end to begin.

Last rules are at the end of all. So I can only reorder in one pages.(I have about 33 rules = 3 pages of rules)

View 4 Replies View Related

Cisco Firewall :: Creating ACL And Nat Rules On ASA5505

Mar 23, 2012

Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below.  I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service.
access-list outside-in extended permit object tcp51413 any object outside nat (inside,outside) source dynamic all-inside-nat interface

View 3 Replies View Related

Cisco Firewall :: Change Order Of Nat Rules (v8.4)?

Sep 26, 2011

I have a question about the new nat implementation in an ASA 8.4. when I perform a "show nat" I get the following result:
1 (outside) to (inside) source dynamic any NAT-SSL-VPN_172.30.100.250 destination static 00B_172.30.100.0_24 00B_172.30.100.0_24
    translate_hits = 26, untranslate_hits = 0

2 (inside) to (outside) source static LAN-HOST_172.30.100.11_LNX01 WAN-HOST_84.199.44.2_32_LNX01 service TCP-80-HTTP TCP-80-HTTP
    translate_hits = 0, untranslate_hits = 0
Is it possible to change the order of the nat rules without removing and reapplying the rule on position 1 ? (both rules have to stay in section 1)

View 3 Replies View Related

Cisco Firewall :: ASA8.4 VPN - Hit Count Is Zero On Rules

Nov 7, 2012

I have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?

View 1 Replies View Related

Cisco Firewall :: ASA5505 - Possible To Add Rules To Users

Aug 2, 2011

How can I filter my local lan's URL requests?  Is it possible to have some sort of list like...
Then only allow certain ip's access to the entire internet like this...

It would be nice to possibly be able to add the rules to users in my domain, then associate the domain account with an IP OR have them login to view webpages.

View 12 Replies View Related

Cisco Firewall :: Invisible NAT Rules (twice) Added In 8.3 For VPN?

May 31, 2011

Note If  you configure VPN, the client dynamically adds invisible NAT rules to  the end of this section. Be sure that you do not configure a twice NAT  rule in this section that might match your VPN traffic, instead of  matching the invisible rule. If VPN does not work due to NAT failure,  consider adding twice NAT rules to section 3 instead.  

View 2 Replies View Related

Cisco Firewall :: 871 Configuration - Basic Rules

Jan 3, 2013

I have an 871 and all I need to do is some basic rules. Here is the config I am  having the issue with.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Access Rules

Aug 13, 2012

When i create a rule and enable icmp in ASA inside to outside direction to testing purpose, but I can't ping outside address ,  

access-list ICMP extended permit icmp any any 
access-group ICMP in interface inside
%ASA-3-106014: Deny inbound icmp src outside: dst inside: (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside: dst inside: (type 0, code 0)
then I have permitted icmp for return path then it works, configs and logs are followed,
access-list ICMP extended permit icmp any any 
access-group ICMP in interface outside
%ASA-6-302020: Built inbound ICMP connection for faddr gaddr laddr
%ASA-6-302021: Teardown ICMP connection for faddr gaddr laddr

View 1 Replies View Related

Cisco Firewall :: Duplicate Rules On ASA5585

Oct 17, 2012

I got some issues with my CISCO ASA, the thing is that when I add a new rule on the device this rule duplicate and goes to the bottom. We already tried to delete the duplicate rule but it always show an error.
-Model 5585
-ASA Version: 8.2(5)
-ASDM version: 6.4(5)

View 5 Replies View Related

Cisco Firewall :: Rules In 877 Firewall

Nov 3, 2011

I have a firewall enabled cisco 877 with these rules.
Interface Dialer0 IN    10 deny ip any    20 deny ip any    30 deny ip any    40 deny ip any    50 deny ip any    60 deny ip any    70 deny ip any    80 permit tcp any any eq 22 (8810 matches)    90 permit tcp any any eq 242    100 permit udp any any eq snmp    110 permit icmp any any echo (6 matches)    120 permit udp any any eq non500-isakmp (3 matches)    130 permit udp any any eq isakmp (1 match)    140 permit tcp any any eq www (26 matches)    150 permit udp any eq domain any    160 permit tcp any any established (6 matches)    170 permit tcp any any eq smtp (2 matches)    180 permit tcp any any eq pop3 (3 matches)    190 permit tcp any any eq 443    200 permit esp any any    210 permit ahp any any
Interface Dialer Out     10 permit ip any any
This rule which is its function?"permit tcp any any established"

View 1 Replies View Related

Cisco Routers :: RV042G Which Rules Have Priority Firewall

Oct 14, 2012

I have made a firewall rule that accepts FTP from WAN2 outside to the inside private LAN with IP address specified.But this didn't work.When I added in the forward rules that FTP had to be forwarded to this IP address it worked.I have done some testing but it seems that the firewall rules do not have any priority on the forward rule.If I disable the forward rule i cannot connect with ftp even with a firewall rule made.

View 7 Replies View Related

Cisco Firewall :: ASA 5505 - No Internet Using Static NAT Rules?

Feb 5, 2012

I'm trying to configure a second server on my network but whenever I add the static NAT rule, the internet stops working on that computer.
Here's my Cisco ASA configuration:
ASA Version 7.2(3)
hostname domain


View 16 Replies View Related

Cisco Firewall :: ASA 5505 - Rules And PAT Weird Behavior

Jun 21, 2012

In the last 8 month I have been upgrated at least 6 Cisco ASA 5505 from 8.2(1) to 8.4(3) without problems, I did a minor changes and all related to rules due a problem with the migration.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 - Add Rules Through CMD Prompt As Against ASDM

May 28, 2013

We have a pair of ASA  running 8.0 (old) version.  The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.But practically , this doesnt work, since  the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?

View 3 Replies View Related

Cisco Firewall :: FWSM Acl Rules Rv042 Not Working At All

Sep 20, 2011

On my RV042 (I used it for a couple of years now without issues), the DIAG led light amber (steady). It's not documented in the user manual.User manual says only:,Diag  (Red)  The Diag LED lights up when the Router is not ready for use. It turns off when the Router is ready for use.",Router does not work anymore and I can't access its web page as I used to do before this problem.I did a reset to factory default (reset button hold for more than 30 sec.) but it didn't change anything.

View 1 Replies View Related

Cisco Routers :: RV180 Firewall Access Rules And 1:1 NAT

Nov 26, 2012

I have a static IP block and need to route to various servers.  I know I can use 1:1 NAT or Access Rules and have success with each.  The problem is my mail server.  When I use 1:1 NAT, the mail is sent from the correct IP - the address of my mail server - and there is no problem with reverse lookups.  However, I cannot block any ports when I use 1:1 NAT.  I have tried it every way I can think of and even some suggestions in the forums that did not work.  No matter how I set access rules, all port stay open in 1:1 NAT.
If I delete the 1:1 NAT rule and use Access rules to open specific ports, the mail server sends out the mail from the WAN address.  The reverse DNS does not match and mail server will bounce the mail. 

View 11 Replies View Related

Cisco Firewall :: ASA 5520 Difference Between Access Rules And ACL / ACE?

Nov 2, 2011

We are moving from a different vendor to ASA 5520s. So far my "training" for Cisco consists of s  Cisco press book, some white papers and guides, this website, and a bunch of mistakes. So, I have what is probably a pretty basic question for most folks.
What is the difference between Firewall Access Rules and ACL/ACE? And when to use which?
for example: on my ASA 5520s I've set up an Interface for my internal LAN: 172.16.x.x., a DMZ, and an interface for the Internet side. The 5520 is set up as a routing firewall betwen my internal lan, DMZ, and Internet.
If I want to allow my internal users Internet access for http and https would I use a Firewall Access rule?For most of my rules allowing outbound access from my 172 LAN and DMZ and inbound access to devices in my DMZ can I mostly utilize the Firewall Access Rules?

View 1 Replies View Related

Cisco Routers :: RV180 Firewall Access Rules

Sep 3, 2012

I purchased a RV180 router, and would like set the Firewall Access Rules as below

- Action: Always Allow
- Service: HTTP
- Source IP: Any
- Send to Local Server (DNAT IP): private ip (192.168.1.xx)
- Use Other WAN IP Address: Enable
- WAN Destination IP: one of public ip (different of the router WAN ip address)
 - Action: Always Allow
- Service: FTP
- Source IP: Any
- Send to Local Server (DNAT IP): private ip (192.168.1.xx)
- Use Other WAN IP Address: Enable
- WAN Destination IP: one of public ip (different of the router WAN ip address)
The firewall access rules no problem within 1 hour after setting. I can access the http / ftp services by the WAN ip address. After several hours, I can't access the services.
I can set the one-to-one NAT rather than use the firewall access rules, but I would like block all other ports, and one-to-one NAT will forward all ports to the private ip address. Administrator > Logging > Firewall Logs , when I enable the settings, where can I get the log of the firewall?

View 4 Replies View Related

Cisco Firewall :: 5540 ASDM Does Not Display All Rules

Jan 15, 2012

we replaced our PIX525 firewall with an ASA 5540 firewall, and now we see some strange behavior in ASDM.ASDM does not display all the rules, but i see all all the rules in cli.

View 8 Replies View Related

Cisco Firewall :: Converting To ASA5520 Rules Base

May 17, 2012

I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, any rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?

View 1 Replies View Related

Cisco :: 255 Finding Unused Vlans

Apr 17, 2012

We have created more than 255 Vlans during last 5 years, and we know that eye-catching part of which are unused, I took a report from campus manager searching for Port Attributes to find out which port is assigned to a specific Vlan but as long as there are numerous ports in trunk mode connecting to Virtual servers I can not find out if unused vlans which I exclude from the report I took are really unused or not , how can I find the unused Vlans.

View 2 Replies View Related

Cisco Firewall :: ASA 5550 - SCTP Stream Based On FW Rules

Sep 23, 2010

I would like to know if ASA 5550 appliance is able to handle SCTP (IP protocol 135) stream in terms of allowing/filtering based on FW rules. We have a problem, though we allowed SCTP IP prot to go through an interface, however I can see that 135 packet are permanently discarded in live monitor. I found some hints here[ URL } but it still seems to me as an assumption

View 9 Replies View Related

Copyrights 2005-15, All rights reserved