Cisco Firewall :: With ACL And Access Group With 1811w

Apr 25, 2013

I have some problem to get working ACLs. The main purpose of this ACLs is to control what is going out from vlan to internet. (For example, i want that only my proxy can access to the web.) So, i use Cisco Packet Tracer and test new rules in lab without any problem.
interface Vlan1
ip address x.x.x.x x.x.x.x
ip flow ingress
ip flow egress
ip nat inside

But it doesn't work on my Cisco 1811w and i dont uderstand why and i'm not sure to have sufficient knowledge to aolve my problem by my own.

View 10 Replies


Cisco Firewall :: ASDM Access Through S2s Tunnel Group On ASA5510

Feb 7, 2012

For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the subnet, and that side of the network is the subnet. I can ping devices on the subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the subnet, but not directly from the subnet.
This is the current config relative to the subnet:
access-list trust_nat0_outbound extended permit ip
access-list untrust_cryptomap_600 extended permit ip


As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the subnet side.
What am I missing here that would allow asdm access through the untrust interface for the subnet?

View 27 Replies View Related

Cisco VPN :: ASA5500 Remote Access Group Policies IPsec Client Firewall

Mar 6, 2011

We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?

View 3 Replies View Related

Cisco Firewall :: Internet Access Through ASA 5540 For Specific Network Object Group

May 2, 2011

I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an  object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?

View 5 Replies View Related

Cisco Firewall :: Number Assigned For Firewall-group On 6509 Significant

Nov 17, 2011

Is there any significance to the parameter "firewall-group" in the command

firewall vlan-group <firewall-group> <vlan-id>…<vlan-id>?
In other words is the series of commands
firewall switch 1 module 3 vlan-group 1,2
firewall vlan-group 1 100,101,102
firewall vlan-group 2 200,201,202
exactly equivalent to
firewall switch 1 module 3 vlan-group 3
firewall vlan-group 3 100,101,102,200,201,202
firewall switch 1 module 3 vlan-group 1,2,3
firewall vlan-group 1 100,200
firewall vlan-group 2 101,201
firewall vlan-group 3 102,202

All three of these options associate the same set of  vlans to the FWSM but using different groupings. As far as I can tell, these groupings have no functional significance either on the switch side or the FWSM side. These are simply three different ways of specifying exactly the same thing? Am I correct?

View 2 Replies View Related

Cisco Firewall :: Add New Vlan In Existing Firewall Group In 6500?

Jan 19, 2013

I want to add new vlan in existing firewall group in 6500. I am confused if it will add new vlan or overwrite.. I am using ASASM module with 6500.

View 3 Replies View Related

Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?

Jul 31, 2012

I try to map LDAP Group to ASA Group policy following documentation:
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX

View 3 Replies View Related

Cisco Firewall :: SSH Key Exchange DH Group 14?

May 29, 2013

I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls.  The key-exchange command is failing on 3 of 4 ASA firewalls.  According to Cisco documentation, this command was introducted in 8.4.  My ASA's are running version,, and 9.1.2.  The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh


View 3 Replies View Related

Cisco Switching/Routing :: 887 No Ip Access-group

Jul 15, 2012

i am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.How can I stop traffic into the LAN network?

View 6 Replies View Related

Cisco VPN :: ASA 8.2.x - Control Access To Different Group Policies On VPN? 

Mar 22, 2010

Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN?  We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.

For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.

View 12 Replies View Related

Cisco Firewall :: ASA5505 NAT For Group Of Objects

Oct 4, 2010

My ASA5505 has an external address of x.x.x.13. We have got another 2 spare ip addresses: x.x.x.10 and x.x.x.11.We also have 2 internal hosts, which we need to provide with internet access using NAT. y.y.y.146 and y.y.y.70.
We recently updated our ASA to software version 8.3(1). I was thinking that I could do it using network objects and groups, but didn't understand quite good how this should be done.
The goal is to set up ASA in the way, that if either of the abovementioned 2 hosts will connect to the internet, it needs take one of 2 external addresses. All other hosts should use PAT through x.x.x.13.

View 21 Replies View Related

Cisco Firewall :: DNS Server Group On ASA 5510

Apr 5, 2011

I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.

View 3 Replies View Related

Cisco WAN :: 1811W Connection Won't Come Up

Jul 24, 2011

Cisco 1811 device.  Working great with connection from TWTELCOM, trying to add 2nd connection from BRTHOUSE set SLA's and metrics but config still isn't working.  The connection won't come up and when I do show ip route ip address it doesn't show a metric so neither connection has a priority and the connection fails.  I want brighthouse to have priority as shown with SLA's but if brighthouse fails I want it to go back to twtelcom. [code]

View 1 Replies View Related

Cisco :: Access Control Lists And A Bridge Group?

May 13, 2012

I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]

View 2 Replies View Related

Cisco VPN :: ASA 8.4 - Access To Group-url Denied By Reserved Keywords?

Apr 3, 2012

I'm configuring ASA 8.4 for SSLVPN allowing Web Portal access with group-url. I've noticed that if I put certain keywords after slash mark on group-url, client access would be denied by http 404 error.
Here's my configuration:
tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test


View 3 Replies View Related

Cisco Routers :: RV042 Group VPN And Access Rules

Sep 10, 2012

I've setup a GroupVPN and connect to the RV042 with the Shrewsoft VPN client, works like a charm as opposed to QuickVPN ;-)The firewall is configured with an explicit deny rule for RDP access to an internal server, also an explicit allow rule is created for certain IP numbers as source. I noticed that I need to create an explicit allow rule for the subnet the Shrewsoft client is using for the virtual adapter or I will not be able to access the internal server via RDP through the GroupVPN tunnel.  I would think that setting up a tunnel defies the rules created for direct access on the WAN port.

View 5 Replies View Related

Cisco VPN :: ASA 5510 / Create Different Group With VPN Remote Access

Apr 7, 2011

Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn  in the CLI for have different group of user which can access to different server or different network on my LAN.
Example : informatique group------access to 10.70.5.X   Network
                Consultor group -------- access to 10.70.10.X Network
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address  X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address  X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended


View 2 Replies View Related

Cisco Firewall :: ASA5505 How To Convert 3 Group Mac Address To 6

Apr 16, 2013

Recently i bought asa 5505 to practice for my exams and i failed to connect to internet since my internet provider binds IP and mac for every users and  supports only 6 group mac address (xx-xx-xx-xx-xx-xx) format. because asa 5505 has  3 groups (xxx-xxx-xxx) mac address they are unable to provide me the connection.So my question is how can i assign 6 group mac address to asa5505.

View 2 Replies View Related

Cisco Firewall :: PIX515E - No Translation Group Found For TCP

Mar 17, 2012

i wounder why i'm getting such log message whenever i'm trying to reach my remote site: No translation group found for tcp src outside XXXX dst dmz ZZZZ, i have a Cisco PIX515E firewall and that message is captured there, the traffic is going through a VPN tunnel (the VPN are up on both ends)

View 2 Replies View Related

Cisco Firewall :: Group Failover Happening Automatically On ASA 8.0.5 23

Nov 6, 2012

We are having ASA 5550 running on 8.0(5)23 IOS. We are having 2 failover groups group1 & group2. currently all contexts are on group1 & its active & Group2 is in BulkSync mode but from last 2 days the failover for group 2 is happning, i am not able to find anything in logs. Its happing daily from 2 days.

View 4 Replies View Related

Cisco Firewall :: Cat6500 To Add Vlan Group For Fwsm

May 22, 2012

i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan  group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.

View 2 Replies View Related

Cisco Firewall :: Error 305005 - No Translation Group Found?

Jun 26, 2011

Error message
305005: No translation group found for udp src c_dmz: dst inside:
305005: No translation group found for udp src c_dmz: dst inside:

I thought it needed a nat (c_dmz) command but I got the following error message
PIX(config)# nat (c_dmz) 0 0 0 nat 0 will be identity translated for outbound WARNING:  Binding inside nat statement to outermost interface. WARNING:  Keyword "outside" is probably missing.

View 2 Replies View Related

Cisco Firewall :: ASA5520 Split-TunnelAcl Set Group Is Not Working

Oct 21, 2012

I have an ASA5520 with mobile VPN Ipsec.The "splitTunnelAcl" set the group is not working.

View 7 Replies View Related

Cisco Firewall :: 5505 - PPPOE Client Vpdn Group

Mar 3, 2013

I need to use a Cisco ASA 5505 on a BT Openreach connection, The configs that I have ben using are below -
interface vlan2
nameif outside
security-level 0


View 1 Replies View Related

Cisco Firewall :: 5510 No Translation Group Found Error

May 31, 2011

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a  No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?

Apr 8, 2011

can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any

View 3 Replies View Related

Cisco Firewall :: Object Group Network Limit With Asa 5510

Oct 29, 2012

We have Cisco ASA 5510, I am about to add another 2 Objectgroup network  groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?

View 3 Replies View Related

Cisco Firewall :: 5510 - No Translation Group Found For UDP Src Inside

Jan 10, 2013

I have seen many of these errors lately.  We have just moved to a new office and I have basically only assigned a new IP to the outside interface.

View 6 Replies View Related

Cisco WAN :: How To Connect 1811W In Internet Modem

Oct 19, 2012

I am having  a hard time connecting my router into a internet modem since my modem is giving its own private ip address in short the modem is a router in itself. in addition, I cant change the modem's dchp pool its fix with network.

View 3 Replies View Related

Cisco WAN :: Failed DDNS Configuration 1811W

Jan 9, 2011

I am attempting to configure DDNS on an 1811W, but my configuration fails.  Apparently,it is not connecting to the TZO server, because when I run <show ip ddns update> in telnet, the message "update destination not available, although can be pinged.  I am attaching a copy of the config file.  the ip name-server entries are my IP DNS, and the url/user name/ key entry was provided by TZO support. 

View 3 Replies View Related

Cisco WAN :: Accessing Settings Of 1811w Router?

Dec 4, 2011

I have an 1811w router and can not figure out how to access the settings of the router. I do not have a console port that I can use to access the settings that way so I want to know how to do it using the SDM. I thought I was following the directions but for some reason when I connect my computer to one of the routers LAN ports no connection is recognized on either the router or the computer. How do I go about connecting to the router and accessing the settings?

View 1 Replies View Related

Cisco Firewall :: 5585 - Two Different Subnets Assigned To Single Bridge Group

Apr 9, 2013

We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
For example :
Bridge group 1:
inside1  and  outside1    ------->
inside2  and  outside2    ------->
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to, the inside1 and outside1, the other pair not work. If the BVI set, then only inside2 and outside2 work. 
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?

View 1 Replies View Related

Cisco Firewall :: ASA 5585 Cannot Connect To Context Active In Failover Group 2

Nov 7, 2011

I am setting up a new pair of ASA 5585's in a multi-context, active/active failover design.  I cannot create management SSH connection to the contexts that are assigned to failover group 2.  With all the security contexts that are assigned to failover group 1 I can SSH to the inside interface IP and login without a problem.  When I try to do that to the group 2 contexts there is no response from the firewall at all, PuTTY just times out.
My firewalls are running version 8.2(4).  The contexts seem to be functioning normally in all other respects.

View 5 Replies View Related

Copyrights 2005-15, All rights reserved