Cisco Firewall :: Can Only Access Polycom In One Direction ASA 5510?
Apr 11, 2013
Using packet tracer I get an error saying:
Config
nat(inside) 1.0.0.0.0.0.0.0.0
match ip inside andy inside any
dynamic translaion to pool 1 (matching global)
translate_hits=45236,untranslate_hits=0
I cannot access my polycom unit on 172.20.16.8 via 10.20.60.8 below is my results of show run Result of the command: "show run"
I am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp h323 tcp h323 udp 3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
I have this problem with the Polycom Video Conferencing (HDX 7000) While we can initiate a video call to other locations, we can not receive a video call from other locations. Whenever there is a incoming call, the polycom is ringing fine. but once we answer the call, the call will be disconnected. Our access rules are listed below, 203.125.99.99 is our public IP for example.
We are trying to get a video conference system (POLYCOM) up running. Thrue a Cisco 1812 router with Firewall feature set.
I Have heard in the past that there should be issues with Polycom and Cisco, but have actually never seen it.I can establish a video call from inside the 1812 to outside.
But when I try from outside to the public ip adress there is nattet to, then it reach the video system and die straight after, so there is never any video session set up.
I have tried to remove everything regarding firewall feature and passing true, so the only thing the 1812 should do is NAT. And still the same.
I can not see anything in the log on the router from the ACL's where I permittet everything, other then it connect on the port TCP 1720, as it should. This is the software I'm running on the router:
When I search Google, it look like there is a lot issues with Cisco and Polycom, but I have not found any concret solution. Other then I should use a ADSL line with a public IP address. As we probably is going to do.
I am trying to set up a Cisco ASA 5510 running 8.2 to allow a connection to a Polycom camera that sits behind it. What I want to do is forward multiple ports to allow a connection from an outside office. The polycom camera uses the following ports:
1720 tcp 3230-3235 tcp 3230-3253 udp
I got these port numbers from the Polycom web site. So what I did was create a service object as follows:
object-group service All-Polycom-ports service-object tcp range 3230 3235 service-object tcp eq h323 service-object udp range 3230 3253 My question is how can I use this service object in a static (inside,outside)
command so that I don't have to create multiple commands for the port forwarding. Is this even possible or do I have to sit down and write out around 30 seperate commands to do this. I've been searching the web and it seems a lot of people want to do this but so far I haven't found an answer.
The problem is that calls originating from the outside of the firewall to the inside will ring but you cannot answer. The internal video conference server is a Polycom HDX 7000. There are ANY/ANY rules to/from this server and the default application inspection policy is set for h323/ras/h225 as follows:
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
Recently powered down device (transformer overhaul) and when it booted back up, unable to access with ASDM, SSH...can access directly using HyperTerm, but have only limited commands...will not accept known user/password credentials. When I issue 'show flash' I can see that there are upgrade_startup_errors.log files, but cannot access them.
Is there a way to access the asa in a failover pair that is in standby mode from the primary asa? IE I am logged into the primary asa via command line and was hoping to access the other asa from here.
I can't seem to get internet access working from the DMZ network through our ASA 5510. PCs on the DMZ can ping the ASA but can't get out to the internet.I will attach a (cleaned) configure.
I can get access to the internet from the ASA 5510 itself and that is confirmed via pings. However, anything behind the ASA does not have internet access, on any VLAN/sub-interface. I've attached my running-config.
the set-up is: a DSL modem in half bridge (it does all the PPPoE connection) passes our static IP (55.167.x.x) to the ASA's outside interface ... (the modem has an IP of 192.168.1.1, but not sure this matters)
then I have one inside interface on 192.168.43.1, which connects to a server and we have a working site-to-site VPN between this server and a client.. so I know most of it's set up right ... nothing else is on the 192.168.43.0/24 network.
the management interface is on 200.200.1.0/24 so it's out of the way and incidentally connected to a dedicated PC, which also has console access via the blue serial cable.
the last interface Main_Network is on the 192.168.0.0/24 network and it's this that I'm trying to get to work... at the moment I just have one Windows PC connected directly (does it need to go through a switch?) into the ASA for testing with a static IP (192.168.0.72), but I can't ping anything outside from the PC... only the ASA's interface (at 192.168.0.30).. I have the gateway on the PC set as 192.168.0.30 by the way.
The ASA can ping all the inside machines and anything I like outside.
Here's my config ... the static routes are there for when this replaces the current modem/router and the whole network plugs into the ASA.
ciscoasa(config)# show running-config : Saved : ASA Version 8.2(5) ! hostname ciscoasa
I lost the ability for my Web server (or any servers in the DMZ) to access the Internet. However, the Web server is still being used fine from the Internet. Here is my config
I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work (((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address My recent Conf is as follow:
Nat Section: ================================================================================== Dynamic: nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
We currently have one Cisco ASA 5510 firewall at our mailn office. Our firewall does not let users access the internet. We currently have a web proxy that lets users access this. I need to let users access one website through the firewall without going through the firewall. I believe this is possible if I use dynamic NAT.
I have a mail archiver (hardware device) in my network that I need to access to from the Ipad/iphone. There is an app for it but I have to allow the access on the ASA. I created an 'object' for the device and added a Static NAT entry for it, then added an access rule. Its not working so I am guessing I did it wrong. The device uses port 8000 which I also added to the object. correct commands, or using the ASDM works too.
I do have one other question first. What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA? Can I do it? Or do i need to be consoled in or connected a different way?
ASA 5510: ASA Version 8.4(1) asdm image disk0:/asdm-641.bin asdm history enable http server enable http 10.1.1.83 255.255.255.255 inside http 10.1.1.82 255.255.255.255 inside
Shouldn't that right there be enough to access ASDM from either host .82 or .83? Because I cannot. But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.
Has ASA5510-K8 as firewall, has access rules setup for restricted PCs: [code] permitOn those PCs, users can only browse the websites that are in favorites, but some of them are working, some are not.Test on unrestricted PC, websites that can’t be accessed from public PCs can be access on regular PCs , either by address or IP.Checked GPO setting, don’t see anything wrong there.
I have an 5510 running 8.4(1) I can ssh into the system with no problems until I scan the device with Nessus security scanner. After that I just get timeouts from the client when I try to connect and the only way to fix the problem is to reload the device. I have included 2 syslog dumps one showing ssh into the device before(working) the scan and one after(not working).I do not have any acls on that int and I have turned off basic threat detection. The devices is still running I can login via the serial console and via ASDM it just appears ssh is someone shutdown or hung.
WORKING
4/21/2011 11:33:43 AM 192.168.11.108 Debug %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:00:104/21/2011 11:33:43 AM 192.168.11.108 Informational %ASA-6-302014: Teardown TCP connection 50 for testing:192.168.65.106/4462 to identity:192.168.11.108/22 duration 0:00:10 bytes 3691 TCP Reset-O4/21/2011 11:33:43 AM 192.168.11.108 Informational %ASA-6-315011: SSH session from 192.168.65.106 on interface testing for user "test" terminated normally4/21/2011 11:33:40 AM 192.168.11.108 Informational %ASA-6-605005: Login permitted from 192.168.65.106/4462 to testing:192.168.11.108/ssh for user "leeh"4/21/2011 11:33:40 AM 192.168.11.108
[code]....
NOT WORKING
4/21/2011 12:38:17 PM 192.168.11.108 Informational %ASA-6-302014: Teardown TCP connection 86 for testing:192.168.65.106/1954 to identity:192.168.11.108/22 duration 0:05:01 bytes 0 Connection timeout4/21/2011 12:38:17 PM 192.168.11.108 Debug %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:05:014/21/2011 12:33:15 PM 192.168.11.108 Debug %ASA-7-609001: Built local-host testing:192.168.65.1064/21/2011 12:33:15 PM 192.168.11.108 Informational %ASA-6-302013: Built inbound TCP connection 86 for testing:192.168.65.106/1954 (192.168.65.106/1954) to identity:192.168.11.108/22 (192.168.11.108/22)
I have a cisco ASA 5510 that I have set up currently to access via ASDM through the Inside interface. When I VPN in using our older VPN server I can connect to it fine. I recently set up the ASA to also be a VPN server which will eventually replace the older server for our HQ. I noticed that when I'm VPN using the ASA as the VPN server, I can only ASDM to the public which I prefer not to allow. Access to the inside doesn't seem to work this way. What configurations if any would be causing this. I'm assuming it's some thing I need to adjust in the VPN configuration.
First off, let me preface this by saying that I'm a novice when it comes to firewalls and more specifically, the ASA. I do however, have an above average understanding of switches/routers.
We have an ASA 5510 running 8.3 and recently I've decided to clean up the last admin's mess. All hosts and servers are on the same subnet, multiple subnets on the same VLAN... and a slew of other problems. Anyway, I recently placed the IT department on another subnet to test some things out before I migrated other departments to different networks. Everything seems to be working as it should be with the exception of one of our servers. The IT subnet is 192.168.150.0/24 and the problem server is on the 192.168.10.xxx network. I'm guessing the issue lies somewhere in the fact this server does have a static NAT and is accessible from the public. Let me give you an overview of what our network looks like:
ISP ---->ASA----->3750----->2960
My workstation is directly plugged into the 3750 switch, and the server is plugged into the 2960. I'm able to ping this server by both IP and hostname. However, I cannot access port 80 by IP or hostname. The users that are on the 192.168.10 and 192.168.11 (sadly both of those are on the same VLAN) network are able to access this server without a problem. Thinking logically, I thought I would send a packet from my workstation, it would head to the layer 3 switch's VLAN interface corresponding to my subnet, realize the .10 network is directly connected and then forward the packet straight to the server. However, it doesn't seem to be working that way. It look like it's being routed to the ASA then being dropped. I guess there's an access rule or firewall rule preventing me from getting to the server. Is there a specific part of my config you will need to see...
I have an ASA 5510. I am doing a new install at our new data center. I am having trouble getting internet access from an inside LAN interface to the outside WAN interface.Our colo center has given us the below IP info. [code]If I do a static config on my laptop of IP 198.145.XXX.82 Mask 255. 255. 255. 240 DG 198.145.XXX.81 I am able to get the web fine from the line in our rack. I used the ASDM software to setup the ASA. I set its WAN IP of 198. 145. XX X. 82 and mask as 255.255.255.40 for interface 0/0. For interface 0/1 I made a management LAN of 192.168.180.1 with mask of 255.255.255.0.I can connect to my LAN ok but do not have outside internet access. I have also tried .80 and .81 for the WAN IP of the ASA. [code]
I have to configure a default-factory firewall (ASA 5510) in a simple scenário like this image represents:At this moment i have configured the interfaces as represented above and at this moment what i want is grant access from a LAN computer (10.10.0.0/24) to the internet.
Should i configure some acl? I read that all traffic from an interface with a superior security level to other interface is allowed, so since my inside interface has a security level of 100 and the outside 0, it should be possible access to internet from an inside computer?!
From all configurations and examples i have seen around, they all contemplate a fixed IP address from the ISP, but in my scenário i have a dynamic one. This fact matter for the configuration i want to do?
My firewall is running the software version 8.2(5).
The VPN will connect.I can ping and connect to the ASA 5510 on it's LAN interface.My problem is that I cannot ping or access anything on the LAN past the firewall. What am I doing wrong?
Here is my config.Result of the command: "show config"
Saved : Written by enable_15 at 22:55:02.299 UTC Tue Jan 10 2012 ! ASA Version 8.2(5) ! hostname ********
When i web browse to the ASA i get the certificate warning page, when i click to continue to the website it loads the normal "this page cannot be displayed"..
I use to have the ASDM software on my computer to manage the device however its been uninstalled now.. can this be downloaded somewhere? i have already tried upgrading the asdm and asa files on the asa?
