I have problem i want to access to my http server in my local network from outside
192.168.2.42 : it my server http
195.X.X.X its my internet IP but it was connected in eth 0/4
static (DMZ,Orange) 195.X.X.X 192.168.2.42 netmask 255.255.255.255
access-list outside-acl permit tcp any host 195.X.X.X eq 80
access-group outside-acl in int orange
but its not good why
I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
Here is the setup: I'm not sure why the web traffic is getting dropped.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
[Code].....
I want to start implementing a small outdoor mesh network of 3 APs Aironet 1550 in order to grow afterward with more APs. Is there any way to configure those 3 APs in an outdoor mesh configuration (for example, only one RAP and two MAPs) without a Wireless LAN Controller or I have to have at least, one WLC? My idea is to have a WLC 5508, but at the very beginning I don't know if my budget is gonna allow me to cost the WLC.
View 7 Replies View RelatedI just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
View 4 Replies View Relatedconfigure my ASA 5505. It is setup using PPPoE. What I want to do is this:
I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to [URL]. I would like to not have to not require the port in the URL.
In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.
Here is my current config:
Result of the command: "show running-config"
: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU
[Code].....
I'm looking to extend wireless coverage outside the building and was think of using 2600e APs with AIR-ANT2566P4W-R patch antenna mounted externally.Is this a valid combination?
I've had a look through various bits of documentation and this antenna seems to be supported but can't see documentation that details of what low loss cables and lightening arrestors are compatible.
I am looking at outdoor access points, I want to stick with Cisco aironet, we currently have 6 of them that are 6 years old and running great, one has had a problem because of humidity, dried it out and relocated and we are good again.
I was looking at the Aironet 1310 Outdoor access point, but I can't find much information on it. I am looking to see how many SSIDs can be setup, we currently have 2 one private, and one public, this is done with VLANS. I am also looking at finding out about the power injector, it converts to coaxial cable, it has 2 RJ-45 and 2 Coaxial, does this mean if we get 2 access points, then I only need 1 power injector?
I have a customer with a Cisco ASA 5510 firewall, an inside network containing a Genetec video recording server, and cameras installed on broadband modems throughout the area (each with a public IP). They've recently purchased Axis Q6034-E cameras that use H.264 to stream back to the video recording server. The camera has a view mode where you can watch it through H.264 or Motion JPEG. The view with M-JPEG works, but when I switch to H.264 the video stream is denied. We have allowed RTSP, RTP, and HTTP (it's setup with only http, not 443)traffic from the camera address on the cable company public network but are still being denied the video stream. The recording software requires that the feed come from the H.264 feed, so the motion jpeg does not fix the underlying issue of being able to record.
We know it's the firewall because if we install the camera on the inside network, the video feed in H.264 works to the recorder.
How to enable something special on the firewall to allow traffic through from the device?
I need to confure 3 ESW-520, 2 24 ports and 1 48 ports, connected in etherlink on the same vlan. One of the 24 ports and the 48 ports works perfectly, the other 24 ports it working, i can use it as a flat switch, i can also access from the console, but i can't access from the http configuration utility. I upgrade the firmware, and set the vlan 1, the one i'm using as the only management, but i can't access ti the default ip 192.168.10.2. It's the switch broken or i'm making some error?
View 2 Replies View RelatedI am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
Two days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.
Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.
I wanna block the Lan IP address(eg:192.168.2.106) to visit wan web, and allow it to lan.How can i set it in access rules?
View 2 Replies View RelatedTwo days ago, we changed our old 525 with asa 5520 ( ver 8.2 ). Configuration is the same, except the version. It even retains the same global interface and static public ip address as the old device.All worked well during that period.Yesterday, one of the http applications , not tested other day, was found not to be working. To test, we switched back to the old 525 , however nothing was working when we did that.Does the static statement which actually does the translation for this application carry any arp problems or so.how can i check this problem.
View 3 Replies View RelatedI cannot access http sites unless I manually write the prefix https. The issue is mainly on Wordpress blog pages and I have to keep writing https if I want to access other blogger's page.For the time being I am using Chrome's extension "Https Enforcer" which slows down my browsing speed but eventually the sites open. I have to disable it if I have to use google images. I use windows 7, Chrome browser, Pocket Modem.
View 2 Replies View Relatedlet me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies View Relatedwhen I connect to VPN with ASA 5510, can not connect to web applications in HTTP instead https in other applications are working properly. how can I fix this?
View 2 Replies View RelatedI try to access to WS-SVC-NAM-2 module in the Switch 6509. But is not work although the HTTP port is enabled (I tested with the command telnet @ip 80).
I try telnet access to the module to check the config , but I always the message that the lo gin / password is wrong even though they are valid.
I installed the LMS as ova template on ESXi and be able to connect via SSH, but when I try to connect via http or https I got the following error.
ForbiddenYou don't have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
I have a web cache server, and I redirect all the HTTP request to it using WCCP.
Everything works without a problem, however I have a monitoring system that every minute tests the access to some customer sites that are hosted inside our infra-strutcture.
As soon as I configured the WCCP the monitoring system complains of timeouts accessing those sites, about 20% of the requests start to fail (timeout).
I don't think it is the fault of the cache because in the WCCP ACL I exclude all traffic that comes from my monitoring system. However as soon as I turn of WCCP the monitoring system never ever gives timeouts accessing those sites.
Is there anything I should do in WCCP to tweak it? I have WCCP configured in my core gateway that is a CISCO 3750.
We're getting this error message randomly when surfing the Internet. We have websense running on our network to perform web content filtering and are using the ASA for the http/https redirects. We've contacted websense and they said this error message is coming from the ASA, not their product.
ASA-5550
version 7.2.4
i have the following scenario :
ISP1-------ASA 5510----------ISP2
|
|
|
LAN
i would like to use ISP2 for all http/https/ftp traffic.how could I force my ASA to set a different gateway for http/https/ftp traffic ?i have tried several solutions such as nat/pat rules, nothing seems to work.
I am replacing an old Fw with a New ASA 5510 and I have a problem with a TCP Connection on My LAN InterfaceI joined a picture of what I want to do. [code] From the PC,I can Ping the Video Camera But I can't connect to it with HTTP.I don't understand, Packet Tracert allow the Http packet too. [code]
View 7 Replies View Relatedhow to enable inspect http on ASA 5510, so that URL information populate in the syslogs?
View 2 Replies View RelatedI am configuring a new ASA 5510 to replace a SonicWall and I have a problem with an HTTP Connection inside my LAN.PC from the LAN ( using ASA LAN interface as gateway) can't Connect to a Camera video Web Server (192.168.4.20) on Port 80 whereas I can Ping it.
ADSM logs show :
106015# Deny TCP (no connection) from ip1 to ip2 Flags RST on Interface LAN.The adaptive security appliance discarded a TCP Packet that has no Associated connection in the adaptive security appliance Connection table.
- I Enabled command "same-security-traffic permit intra-interface"
- HTTP inspection is disabled.
I used Capture feature on the Ingress Interface, I joined the Logs and a part of my ASA Running Config.
My config:
Windows 7 host
MS Loopback Adapter with ICS
GNS3
ASA 8.42 with ASDM 6.4
Vmware Workstation 7 with Windows XP SP3 vm
All are working like a charm, from my virtual XP machine I can ping every site, e.g. www.google.com which replies nice with it's ip-address.
However, I cannot reach ANY website
When I connect through a Cisco 3700 router the webbrowser works perfect, so it must be something in the ASA configuration (I presume )
I've tried about all possible Access Rules, but still nothing.
Situation: Slow internet access, after access keep getting waiting for HTTP, always see n items remaining.What can be done to speed up access?OS is windows 2003 R2, latest updates. [code]
View 15 Replies View RelatedI am trying to limit HTTP access to my server on the local network to a specific IP address. I create an Access Rule in the firewall section, however that doesn't work. The only way it works is if I add the internal IP address of the server to the Forwarding section where I create a new HTTP forwarding rule.However, that is not good because that allows ALL HTTP traffic to that server instead of just by the single IP address.
View 2 Replies View RelatedI am facing issue with http login after IOS upgrade on 3750 switches. I upgrade IOS from c3750-ipbase-mz.122-35.SE5.bin to c3750-ipbase-mz.122-53.SE2. bin Any other command I have to run.
View 1 Replies View RelatedI was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
[Code]....
I have cisco 881 and configured with http access, but when i try to open in browser it's shows blank page. Is the Cisco 881 supports GUI ?
View 3 Replies View RelatedI have an ASA5510 with CSC Module which is inspecting HTTP traffic. We need to be able to use http radio stations. Some radio stations work but some don't work. I excluded my computer ip address from the CSC filtering but i am still unable use certain radio stations. I thought since my computer is excluded from the CSC filtering and some radio stations don't work that it must be the firewall that is blocking the traffic. I removed the rtsp inspection and it won't work.
View 1 Replies View RelatedI need to redirect all http and https traffic from one source in a dmz network, to port tcp/8080 on a proxy server on the inside network.
The source device doesn't handle proxying very well, so i've been advised to redirect the tcp/80 and tcp/443 ports to tcp/8080 as it passes through the firewall.
Scenario is thus:
PIX 515E 6.3 (5)
DMZ server: 172.31.255.250 (Real IP), 10.44.181.236 (NAT IP)
Inside Proxy server: 10.44.132.28 (Real IP), 172.31.255.110 (NAT IP)
I've configured a static NAT redirect using the following command: static (inside,dmz) tcp 172.31.255.110 www 10.44.132.28 8080 netmask 255.255.255.255 0 0
When I try to add the next command of: static (inside,dmz) tcp 172.31.255.110 443 10.44.132.28 8080 netmask 255.255.255.255 0 0
I get the following error: ERROR: duplicate of existing static
Is there a work around for this at all or am I stuck with the limitations of the software?
I have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.