Cisco Firewall :: How To Create Mixed Service Ports On ASA 8.4(2)
May 14, 2013
How to create a mixed service ports on ASA 8.4(2)?I need to create a service group which has ICMP, TCP ports and also different UDP ports.Normally you would create different service group based on TCP/UDP/TCP-UDP/ICMP/Protocol and add then to new nested service group.But I want to create a new service group where you can define everything without the need to different service groups and nesting them into a new one.
View 1 Replies
ADVERTISEMENT
Jan 16, 2012
Configuring Cisco 2951 router using Cisco Configuration Professional. I have created a zone based firewall on the router and have created a zone policy for network traffic between two LANs or two zones. I need a create a rule for new traffic that should allow a custom user defined service to flow between the two zones associated with with two LANs.
The problem is How do I created a custom service that I can use for the new traffic rule? I created a network service object as shown in the screenshot below:However, when I am adding the new rule, this service object does not appear in the user defined service in the protocols tree box as shown in the screenshot below:
What is the proper way to create a custom user defined service? I was not able to create it using Class map by the way because again I did not find the service object group in the user defined service when creating a class map.
View 2 Replies
View Related
Feb 3, 2013
I fought with trying to hang two old BEFSR41 routers on an incoming TWC cable internet. I have a couple of streams going out and one coming in... and I think there are some collissions going on that cause little Urps in the streams. I thought I could put them on two different subnets. Ha. No luck at all so far. The scheme they gave me used a fixed IP and a subnet of 255.255.255.252... now I think I understand why TWC assigned a subnet of 255....252 - so I could only use ONE router. Their little toy is still routing, mine does it's thing.. that's it. In order to add another router and a totally different group of PC's on the same bandwidth... I'd have to get into their box and change the subnet scheme to something more open.. 255.....248, or maybe back down to 255...255.0 I guess..
View 1 Replies
View Related
May 16, 2011
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
View 8 Replies
View Related
Mar 17, 2011
Using CCP I am trying to create a NAT entry for a range of ports. CCP window for a new NAT has only one entry for the port #. Is it possible to set uf port ranges in 877 router?
View 2 Replies
View Related
Aug 31, 2012
A year or so ago, when Verizon was my ISP, I ran a Minecraft server with a Hamachi VPN. I had looked into forwarding ports at the time, but decided to go the VPN route because I wasn't completely sure how to assign a static IP to a computer on the network. I had absolutely no issues setting up the VPN or hosting a server on the network.Recently I decided to give port forwarding a go again. I successfully assigned the static IP and put the port number into my router's port forwarding settings, but the port was still closed. I tried using online port checker tools and having friends try to log into the Minecraft server. No luck.After reading multiple port forwarding tutorials to make sure I had everything correct and double- and triple-checking all my settings, I began to suspect that something else was causing the problem. I have an older router set up as a repeater on the network so my family can connect to the Wifi network from anywhere in our house. Thinking maybe the repeater or even the main router itself was to blame, I decided to try another router. After disconnecting the current routers and setting up a spare router I had, I tried everything again. Still no luck.
I tried opening different ports unsuccessfully. No port I tried opening would work. I decided to give in and just set up Hamachi again, since that had worked flawlessly before. However, after setting up a Hamachi VPN, I realized people could join the "room," so to speak, but could not connect to the VPN itself. Even hosting a Minecraft server over Hamachi wasn't working this time.Assuming it was just an issue with Hamachi, I tried another VPN software. I got the same error - people could log in, but not connect to the VPN. Thinking back to the port checker telling me port 80 was closed, I pretty well gave up.I've walked one friend through setting up a VPN the exact same way I did, and it worked on the first try. I walked another friend through assigning a static IP and forwarding ports. I don't know what's different about my network that won't allow either of these things. I've searched my router's configuration for any setting that would override port forwarding or block a VPN, but I can't find anything.
View 15 Replies
View Related
Mar 5, 2013
I use the Service port connected to the managementVLAN to manage the WLCs. When configuring HA with AP SSO, I lost HTTPS connectivity to the WLC, telnet still works fine.I researched the deployment guide and it states:
- When AP SSO is enabled, there is no SNMP/GUI access on the service port for both the WLCs in the HA setup.Why is remote access disabled using GUI when using HA, and how can I keep management of my WLC using HTTPS and an address in the ManagementVLAN.
View 10 Replies
View Related
Oct 29, 2011
I recently purchased an SG300-10 switch. Is it possible to change the TCP port numbers for the administrative services on this device? For example, if I wanted to change the web admin port from being availble on port 80 to port 8080, or move the SSH port from 22 to 2022, how would I do this?
I've looked over the web admin interface, and the Security > TCP/UDP services option looks like what I want, but I see no way to change a service's listening port. Is this possible?
View 3 Replies
View Related
Jul 18, 2011
I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself. What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router. Each of the remote locations only have 1 serial interface. It is a flat network with few routes and a small shoretel voip system running across it. Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map match-any AutoQoS-VoIP-RTP-UnTrust
[code]....
If I try to apply the policy map to serial0/0/0, I get the following error:
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error. We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask). I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing.
View 2 Replies
View Related
Jul 11, 2012
I have an rv180 and I'm trying to setup a custom service that contains both multiple disjoint ports (some UDP some TCP), as well as a TCP port range. This has lead me to a couple of questions.1) Is it even possible to have a single custom service with disjoint ports? Is it just going to be necessary to define multiple partial services for this?2) Is it possible to forward a range of ports? It's clear how to define a service with a port range, but the port forwarding table interface only allows me to select one LAN-side port for any service. Is there a secret notation that I need to do here that will just forward to the same LAN-side port as the WAN-side port---effectively one-to-one NAT forwarding, but just for the selected service?
View 8 Replies
View Related
Sep 5, 2011
I recently acquired a 2509 router that I plan to use as a serial device router. My question is, how do you create the virtual com ports on Windows and Linux machines to point to the TCP address:ports in the 2509 router? Is there software or drivers that do this? Or something third-party?
View 12 Replies
View Related
Oct 12, 2012
Is it possible to create a service which will forward public port 9010 to an internal IP address with port 23?First of all, I do not like to open the public Telnet port to the inside so I would use another public port and second my ISP does not allow some public ports beneath port 80?
View 1 Replies
View Related
Jun 9, 2013
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
View 3 Replies
View Related
Jan 22, 2013
At home I have a D Link DSL-2640R wireless adsl router/modem in my downstairs office.I would like to use the cable which goes to upstairs of the house to link to some sort of extra router or switch in order to provide more network ports upstairs.
View 1 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
Feb 28, 2012
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
View 10 Replies
View Related
Oct 23, 2012
I have found cisco's config for dynamic DNS on an ASA. However, I have seen many articles that the ASA doesnt support the HTTP update method that most dynamic dns services use.
View 2 Replies
View Related
Aug 12, 2012
how to change the order of the groups that are displayed at the SSL VPN sign in page? I am using an ASA-5520. Right now the anyconnect client group displays above the clientless SSL intranet group and I want it reversed.
View 6 Replies
View Related
Jul 24, 2012
on my Active/Stanby ASA5505 has Sec+ License(trial), I can't create more then 3 nameif interface however,
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited 17 days
Failover : Active/Standby 17 days
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled 17 days
AnyConnect Premium Peers : 2 perpetual
View 5 Replies
View Related
Aug 29, 2011
The admin guide for the WAP4410N, explains the default setting for the Wireless Network Mode field:
"B/G/N-Mixed—(Default) Connects all the wireless client devices at their respective data rates in this mixed mode."
What does this mean exactly? Does it mean that I can have some clients using G at G speed; and some clients using N at the faster N speed? And both at the same time?
I can't see how that is possible as the AP only has one radio?If it is possible; then why is one of the options G only - that allows both G and N, but a G speeds only?
Should I set the Channel Bandwidth to 20Mhz or 40Mhz? The admin guide says that N will use 40Mhz and B/G will use 20Mhz. What is the difference in practice?
View 4 Replies
View Related
Feb 18, 2013
I currently have 2 5505 SEC BUN as Primary/FO Firewalls and I am considering purchasing the ASA5510-AIP10-K9 for use as a dedicated IPS device. Looking at [URL] I see that for service updates, CON-SU1-AS1A10K9 is available for this product, providing "IPS Signature and Engine Updates" and "OS Updates."It is my understanding that in the ASA5510-AIP10-K9 there are 2 OS:
1. ASA OS
2. AIP SSM-10 OS
My question is: Are both the ASA and AIP SSM-10 able to receive "OS updates" with this service contract?
View 3 Replies
View Related
Mar 20, 2013
I just got 2 Cat6504 Chassis and 2 ASASM pluged in them. show version from submodule ASA as follow:
SVC-APP-HW-3#show ver
Cisco IOS Software, trifecta Software (trifecta-SP-M), Version 15.1(1)SY, RELEASE SOFTWARE (fc2)
[Code].....
I want to upgrade new OS for ASA to 8.5 (asa851-smp-k8.bin) but after copy this soft to the module, I can not "write" command or when I reload this box, everything was no changed. SVC-APP-HW-3#write startup-config file open failed (No such device)
View 2 Replies
View Related
Oct 7, 2011
I currently have 2 PCs that are directly connected to each other via a 1Gbs Cat6 connection.I don't currently have a 1Gbs router so what I am doing right now is unhooking this connection and reconnecting both machines to my router when I need internet access. I have ordered some USB Wi-Fi adapters so I can have both machines access the internet that way whilst still use FTP between them on the 1Gbs line.If I were to scrap that idea and get a 1Gbs hub, connect both PCs straight into that, and then also connect the hub to my 100mbits router, would the 2 computers be able to communicate with each other at 1Gbs and then talk to the router at 100mbits, or would the whole network run at 100mbits.I don't really want to have to shell out on a 1Gbs router as I don't need anything else on the network to run at that speed.
View 6 Replies
View Related
Jul 11, 2011
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies
View Related
Apr 18, 2012
We have setup new ip camera system and as per our vendor to access the camera from outside we need to open,TCP ports and in firewall and forward to our camera server.
Let say our public ip address is 207.114.111.22 and our local ip address for the camera is 11.11.1.30. We have cisco asa 5510.
View 2 Replies
View Related
Mar 25, 2013
I have a fresh installation of LMS 4.0 on windows server 2003, when i click to open topology i get error message : ANIServer service may be down or Host name isn't DNS resolvable
i tried pdshow -brief ANIServer ===> service UP
DNS is working using host file in driversetc i restarted the server
restared the crmdmgtd
unistall / install java plugin
pdterm ANIServer
pdexec ANIServer
NO change ..
View 6 Replies
View Related
Jul 11, 2012
I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.
ASA1(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)4Device Manager Version 6.0(3)
Compiled on Wed 03-Feb-10 14:17 by buildersSystem image file is “disk0:/asa822-4-k8.bin”Config file at boot was “startup-config”
ASA1 up 1 day 18 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHzInternal ATA Compact Flash, 128MBBIOS Flash Firmware Hub @ 0xffe00000, 1024KB
[code]....
View 3 Replies
View Related
Feb 29, 2012
I want to create a Dual DMZ in a ASA5510 however it is not like I used to in ASA5505?In ASA5505 I create a Outside, Inside and DMZ VLAN and there after add the interfaces into the VLAN.This way I can have two DMZ interfaces, but how do I do it in a ASA5510?
View 1 Replies
View Related
Oct 25, 2011
I need to be able to create vlans in my ASA 5510.
I can'T find anywhere to do this.
I've tried the "routers command" I know, like vlan databse and it does'nt work
Is there a way to "enable" vlan on a ASA 5510 ?
View 3 Replies
View Related
Jun 12, 2013
I have a production ASA 5505 that is working perfectly. I wanted to take a spare ASA 5505 and copy the running config to it so that I would have a backup unit that could be swapped out if the production unit went down.
Both units have security plus and running 8.2(1). The only difference is that the production ASA has 512MB of RAM while the backup ASA has 256MB. Also the backup has anyconnect and the production unit does not.
I copied the running-config to my tftp server and then copied the running config from my tftp server to the backup ASA as startup-config. After reload the device booted with an identical configuration to my production ASA, but after swapping out the units to test it, I have no access to the WAN or DMZ from my LAN. Swapping back to the production unit and all works as it should.
I printed out the running config from both devices and compared them line by line. They are identical except for the anyconnect line on the backup ASAs config file.
View 5 Replies
View Related
Feb 25, 2013
User want to create on 5 network , 100.x , 200.x , 210.x , 250.x , 220.x .at the ASA5510, no enough port for 5 network.So I want to create 4 vlans on eth 0/3. I can create vlan but i cannot run this command " switchport mode trunk" " "switchport trunk allowed vlan list" how can be done for that?
Actually i want to use like thisASA5510-----4 vlans on eth 0/3------switch----vlan200,vlan210,vlan250,vlan220.
View 1 Replies
View Related
Oct 10, 2012
I'm trying to use LMS to upgrade a stack of switches that have 1 or more 3750x's and other 3750's. In Software Distribution, if I choose Distrube to devices, basic, it finds the x switch, which is the master but says the others are not candidates. I don't see a place where I can tell it it is a mixes stack and choose multiple IOS's.
View 2 Replies
View Related
Aug 2, 2011
I am looking to slowly migrate some of our wireless devices (Aironet 1231 and 1232's) to the Wireless N spec - 1260's.I currently have four AP locations that I want to upgrade first before anywhere else. At the minute, these four AP's work on the 2.4Ghz G band.
how the new 1260's will work in the mixed environment. I believe I will need to purchase the 1262 (which is the dual band version) so that I can operate the AP in both the 2.4Ghz G band range and the 5Ghz N range at the same time, is this correct?If I was to purchase the 1261 (which is the single band version), will I only be able to operate in either th 2.4Ghz or 5Ghz, but not at the same time?
For the mixed environment, would you suggest the dual band version? Can I place the same SSID on multiple Radios if this is the case? Following example: Say I have the SSID called 'Company' - this at the minute is operating on the G band 2.4Ghz range. If I was to purcahse the dual band 1262, could I put this SSID on both the G radio and the N radio? Would clients with an N adapter automatically connect to the 5Ghz range (N Radio) and legacy G and B adapters automatically connect to the 2.4Ghz (G Radio)?
View 5 Replies
View Related
