I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900 If i configured with only one port 5900 or 3389, is't ok, i don't understand what 's the problem?
ASA5510>
ASA5510> ena
Password: ***********************
ASA5510# show run
: Saved
[code]....
I have a Cisco ASA 5510 and I am trying to set it up to be able to have it failover to the 2nd ISP connection if the 1st one ever went down. I think I need a nat statement that the "backup" connection will use when the 1st connection goes down, but I am unsure what the nat statement is supposed to be. I have added the commands that I am pretty sure that I need to add for the "backup" ISP connection. Attached are those commands, the interfaces that are set up, and the objects that are set up in the ASA.
View 2 Replies View RelatedI am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint") to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".
Some highlights from the config:
crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure no enforcenextupdate no protocol ldap no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02 30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030 <snipped rest of cert> quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9 3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886 <snipped rest of cert> quitcrypto ca certificate chain
[code]....
I would just like to to open UDP port 123 in the ASA 5510 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.4 and this port was also allowed in the inbound and outbound rule of the PDC's Firewall but it seems that it was still blocked.
View 23 Replies View Relatedi just ran a NMAP scan on the outside interface of a ASA 5520. It seems that the TCP Ports 7070 and 554 are open on all NAT interfaces and the outside interface of the firewall. I tried telnet on port 554 and 7070 and got connected.
View 10 Replies View RelatedThis is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
View 23 Replies View RelatedWe have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x.We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses. The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.
However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside. Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.
Apparently we do not have a clear understanding of what the ASDM is actually asking for. When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet). The named value "Internet" has an ip associated with it 96.56.x.x. But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value. This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface?
I have a static IP address over 100Mbit fiber. I've installed a Mac Mini as a webserver and opened the ports 80, 443 and 5900 and a few others for minor services. Everything works fine: the http server (and https as well) is up and pepole can reach it from wan.Yesterday I tried to setup the FTP service with less success. Into the ACCESS RULES I enabled the FTP service and, as a result the port 21 opened up.
But if I connect via Cyberduck to the server I can navigate through the folders but I can't download anything. So I tryed to open up the port 20 for data transfer with no result. Same issue when I tryed to setup the AFP service to mount remotely server volumes: port 548 opened up but no success with port 549.
I travel a lot and use wifi in a lot of different places (hotels, airports, etc.)My apps don't always work and I suspect that in some instances the broadband provider is blocking some of the ports I need.I don't need a port scanner like NMAP since that scans a target IP for listening ports.What I need is a way to figure out whether some firewall between my PC and the Internet is blocking specific UDP or TCP port ranges.
View 2 Replies View RelatedI was enabling all the ports for testing on an asa 5510 and once I got to port e0/3 I got this error:
ciscoasa(config-if)# int e0/0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# int e0/1
[Code]....
On the asa theres 4 ethernet ports 0 - 3 don't understand why port e0/3 is not listed. When a cable is connected the led's for that port goes green. Is the port just bad or is there a work around?
I have an ASA5510 and I would like to implement something like this: have two ports patched in and ready but only one active, the other one in standby (when the first one goes down the other port comes up and all the traffic goes down this way), all these on one physical box. So, it's basically like port failover on the same box.
View 1 Replies View RelatedI need to open ports 5000 and 5001 on my Cisco PIX 501 to enable some users to be able to connect to our CCTV from outside, how should I open these 2 ports?
View 5 Replies View RelatedI am trying to open port 52199 on my ASA 5505 I have gone to firewall, access rules and then add tcpip.Not sure if that is the correct place but cannot get it to work?
View 1 Replies View Relatedwhen I want to let email to come through the ASA5505 from outside to DMZ and Inside network, are the below command lines correct and good enough?
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq imap4
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq pop3
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq smtp
access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq imap4
access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq pop3
[code]....
Are there any other TCP ports want to be allowed and other command lines need to be added?
I have done any and everything just to even open a specific port on my pc and try PortForward's port checker and web based checkers, and I can't get the port or any port to show as open.I am trying to make an IP webcam on my network viewable from the internet.My setup is like this"gigaset 204a" / DSL modem (Ethernet cable goes into internet port on LINKSYS WRTGS wireless router) [code] Disabled I went to LINKSYS port forwarding, the address I am forwarding to is the ip webcam server. I know if the IP changes it won't work, but before thinking of setting up a static ip for the webcam on my network, I need to get it to actually work.Nothing I do will open any ports on my pc. I've tried enabling DMZ. I've even set rules for windows firewall to allow incoming/outgoing connections on the port I want, i've disabled windows firewall. am running on windows 7 ultimate. The problem for my really is as far as I can tell, I can't even open a port to allow connections to my computer from the outside. Of course all my internet games etc work fine and have never had a problem, but I can't seem to manually open a port I want.
View 4 Replies View RelatedI'm looking for an example config of how to run dual ISPs while doing port fowarding for one of the publicly facing IPs. This is on 8.4 so
View 1 Replies View RelatedWe have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only.
View 15 Replies View RelatedI am trying to set up a Cisco ASA 5510 running 8.2 to allow a connection to a Polycom camera that sits behind it. What I want to do is forward multiple ports to allow a connection from an outside office. The polycom camera uses the following ports:
1720 tcp
3230-3235 tcp
3230-3253 udp
I got these port numbers from the Polycom web site. So what I did was create a service object as follows:
object-group service All-Polycom-ports
service-object tcp range 3230 3235
service-object tcp eq h323
service-object udp range 3230 3253 My question is how can I use this service object in a static (inside,outside)
command so that I don't have to create multiple commands for the port forwarding. Is this even possible or do I have to sit down and write out around 30 seperate commands to do this. I've been searching the web and it seems a lot of people want to do this but so far I haven't found an answer.
I've cloned the configuration off one of my ASA5510's to another 5510 to use as a template for a new data center deploy. I have configured the new firewalls networks and rules, and of course changed the WAN IP config to its new setting.
I want to test the firewall in y office before I deploy it. How should I configure my Macbooks ethernet configuraiton to test the firewall?, as I have tried without success to connect to it.
Let's say that my WAN configuration is 134.5.169.98/255.255.255.224 with a static route of IP address 0.0.0.0, Netmask 0.0.0.0 and a gateway IP of 134.5.169.97.
I've tried setting the route to force all traffic through the interface (sudo route add 0.0.0.0/1 134.5.169.98), but that did not work either. A trace route to the external interface IP of the firewall (or the external IP of an expose server) get's a "no route to host" error.
I've tried many configurations and have not been able to access the internal servers/services/VPN at all.I've also tried with a cross over, and straight through cables.
What should I configure my macbooks network configuration as so I can connect directly to the WAN port to test external access to the internal servers/services and test the VPN client?
I am using an ASA5510 for internal firewalling in my QA environment. How do I allow RDP from one subnet to those protected by the firewall? Preferably using the ASDM.
View 25 Replies View RelatedI have a weather station at our high school that needs UDP port 9500 open inbound/outbound to specified IP addresses.
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)57
configuring the ASA particulary after the change to how NAT is implemented. What I am trying to accomplish logically seems fairly simple, yet I cannot get it to work. I have a Synology NAS at home that I am trying to reach via the internet. Prior to using my ASA, I had Verizon's FIOS router as my gateway and everything forwarded with no issues. The ports I need forwarded or reachable via the internet are TCP port 80 and 5000.I can also configure it via command line if that's the easier/preferred method.
View 11 Replies View Related I have 4 public IPs on Router 3845 interface FastEthernet 0/0/1. IP as below.
50.200.2.2
50.200.2.3 secondary
50.200.2.4 secondary
50.200.2.5 secondary
I wan to allow ports 80 to 90 on 50.200.2.3 for my webserver (192.168.10.50)
I have open my 25, 110, 80 port on my Server from local i can telnet all those via my private ip but from public ip its not responding.
2nd thing I can ping both ips of My server through private ip and through public ip.
provide me with the important links which can show me how to do the software upgrade for my ASA 5520 ver 7.0(1) to ver 8.4 ? as well as the ASDM
View 10 Replies View RelatedI have been working on trying to get an IPAD using the built in VPN client to connect to an ASA5510 version 8.2(5). I have attached the debug from where I have gotten so far. Phase 1 is failing somewhere but the messages aren't real clear or at leat not to me. The ASA is acting as the local CA for the certificate. I inherited the config from another guy as he couldn't get it working and I have made some progress but still not luck in getting the tunnel to just come up. Access to resources will be next but I'd like to just see the ipad show connected.
View 3 Replies View Relatedi am using Cisco ASA 5510 with ASA Version 8.0(4) and memory 256MB. me to Upgrade it to 8.3
View 6 Replies View RelatedASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI have only recently noticed a HUGE decrease in my Utorrent speeds, so i thought i would have a gander and lo and behold.apparently the port Utorrent uses wasn't open. Now, i have tried about 10 different port numbers, made sure Utorrent is being accepted by Norton 360 Firewall,followed complicated directions to (i think) foward ports, and also follow directions to open a specific port.Nothing has worked so far, Utorrent still comes back with a port closed error.
View 1 Replies View RelatedMcAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies View RelatedWhat is open port 49153 used for and how do I close it and any other open port that I don't know they got opened in the first place.
View 1 Replies View Relatedhow do i open port 22 in my router
View 1 Replies View RelatedMy friend is trying to open port 88 and it says this specific message "The specified ports are being used by other configurations".I did a netstat, netstat -a, and another netstat that i forgot and we could find anything on his computer using port 88.His router is a Netgear wndr3400.
View 5 Replies View Related