Cisco Firewall :: Use ASA 5510 Smart Call Home Feature For Automatic Backup Creation By Email
Feb 10, 2013
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
I'm trying to install a Gateway in Red Hat Linux to Cisco Smart Call Home Service, and reading about this in google, i find this info:Smart Call Home on the ASA This is much more simply to configure and operate.I want to know what solution is more recomended and why.
I need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.My questions are,is traffic from inside to DMZ is permit by default?,What about DMZ to Inside traffic ?,Is it necessary to do a NAT from inside to DMZ with the same IP as of inside,What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?,Is it necessary to permit traffic from DMZ to inside?,Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
My backup userid, password, privi 15 on all our company routers Say around 300 routers, it is difficult to log in each router and create a backup account, i heard from one of my friend that i can create a backup account and can upload thru the kiwicat tool and it will automatically creates my backup account on all the routers. Procedure to create this.
we have a AP cisco AIR-AP1131G-E-K9 Version 12.4(10b)JA, and we would like to do automatic backup of CLI configuration to one server, and we dont know how to do.
For example: On router and switch we use this kind of configuration to do automatic backup: [code]
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
I use ASA 5510 and I would like to log VPN traffic ( for example, as soon as a remote user try to connect to the asa). I would like this log be send to a specific mail address. I already configure Email Logging for severity ( level 3) and it works well.
1. my email going out is working along with internal, but inbound email is not working. My barracuda email filter is 192.168.1.107 and my exchange 2007 is 192.168.1.222 along with this OWA does not work.
2. Terminal Services does not work when I try from the home pc in I get server not available or disconnected
Below is my congig
ASA Version 8.3(1)!hostname wsigatewaydomain-name wsystems.comenable password yVSkMxWRc/S396FB encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address 64.XXX.XXX.XXX 255.XXX.XXX.XXXinterface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.0.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 [Code]....
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
I am in the process of switching firewalls. Currently I have a Sonic Firewall inplace. I have been tasked to switch the firewall out with a cisco asa firewall 5510. The sonic firewall currently allows email traffic, web traffic, and dns traffic. When I use the current config below on the asa I am unable to receive email from the outside network. I can send and browse websites but I cannot receive email.
ASA Version 9.1(1) ! hostname ciscoasa enable password kdkfdjdjflkadjdsfj
I would like to setup backup ISP in our ASA5510. Right now the the firewall has for default gateway following command:
"route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" i am changing this to route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ...so i can setup sla monitoring. As soon as i do the above command and remove the original "route outside 0.0.0.0 0.0.0.0 114.324.321.33 1" from asa then internet connection drops. Right now asa interface Ethernet0/0 has main isp configured and configuring interface Ethernet0/3 as backup. interface Ethernet0/3 name if backup security-level 0 ip address 114.324.321.34 255.255.255.252 no shut global (backup) 1 interface.
route outside 0.0.0.0 0.0.0.0 114.324.321.33 10 track 1 ( Right now in firewall i have" route outside 0.0.0.0 0.0.0.0 114.324.321.33 1 " ) route backup 0.0.0.0 0.0.0.0 115.283.212.23 20 track 2
sla monitor 1type echo protocol ipIcmpEcho 114.324.321.33 interface outside sla monitor schedule 1 life forever start-time now sla monitor 2type echo protocol ip Icmp Echo 115.283.212.23 interface backup sla monitor schedule 2 life forever start-time now. Also our firewall has site to site vpn and 1 main ip configured for exchange and remote access.
all this inside the router or the switch. From the Linux box just running a simple command such as:
tftp 172.16.0.3 -c get startup-config newbackup.conf
where 172.16.0.3 is the IP address of the switch and newbackup.conf is the name of the config file stored on the Linux machine.So, how do I do that with an ASA box? how to backup ASA from inside it.
I have a ASA 5510. I setup basic configuration to test internet with 2 ISPs. My first line works with out any problem. But my second line doesn't work. Even when i wipe the configuration, and setup only my second isp. Internet doesn't work. Can you tell me if there is anything wrong with this config?
CaaaA01# sh run : Saved : ASA Version 8.3(1) ! hostname CaaaA01 domain-name example.com
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520? Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ? [code]
I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall. [code]
1. How FWSM create xlate table like that? I mean it look like NAT0 for 158.137.21.26 but it doesn't has any nat rule for 158.137.21.26 on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global 158.137.21.26, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.
I have a standard ADSL modem which connects to the internet. On the inside I have a few computers within my LAN.when the modem receives an incoming request from the internet for a connection to one of my LAN computers e.g. a Skype incoming call, how does the modem know which port to forward that traffic to on my internal LAN? i.e. how does the modem know which of my computers is running the skype application that will answer the incoming call? I know port forwarding normally handles this sort of thing, but in my case, I am not using any configured port forwarding rules so how does the modem know where to forward skype traffic?
We have a Cisco Firewall 5510.When I VPN into the network, I have to rdp to a windows desktop in order to SSH into my linux boxes.how to ssh ditrectly from home PC.
I need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone 2) Connect it to the DMZ port 3) Create a NAT for inside to DMZ with same IP as inside 4) Create ACL for permiting traffic to DMZ and apply it to outside interface 5) Create ACl for permitting traffic from DMZ to inside 6) Routing for DMZ in PIX
I am researching power adapters versus range extenders to bring the best signal to a new home theater so I can stream Netflix. I don't do much else (gaming etc...) and am not a tech person. I just want to enjoy movies in an area of my house that gets little or no signal. Didi I waste my money buying smart? Can I still do an ethernet connection off the power adapter? Should I put another router there instead--- off the adapter- so I can use the theaters wifi?
Two part question: First is there a way to create a smart tunnel link on a user's home page like you have on the main portal page of the ASA 5550? I see the code that it is using but have not been able to get this to work. Here is that code;
<a href="javascript: parent.doURL('756767633A2F2F70676B636562712E7070757A702E6265742F50766765766B2F4B72614E63632F6E6867752F79627476612E6E66636B',[{name : 'user', value : 'CSCO_WEBVPN_USERNAME'},{name : 'password', value :
[Code]....
Second question when will MACs be able to auto start smart tunnel when the user first logs into WebVPN? Right now the only way I know of starting a smart tunnel on a MAC is a link on the main portal page. I am running code 8.3.2.13
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
Do I need to portforward a port for logging into my Linksys EA6500 smart wifi router from outside home? I can only login when I'm om LAN or wifi..Another question: Can I only login to the same router using an app? Isn't there a way to login via browser?
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30 172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz 172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
