Cisco :: IPS Inside Or Outside FW?

Apr 4, 2011

Been reading up on IPSs some and some sources say the IPS goes inside the FW some say it goes outside. I know the inside is easier to tune and more secure, what are ya'll's oppenions on where it should go and why? (I will say most of them say IPSs on the inside and outside, but I figure that's something of a marketing ploy)I kinda like inside the FW to keep it a bit more safe and to avoid the stuff the FW will kill by default that's out gunking up the internet.

View 5 Replies


ADVERTISEMENT

Cisco WAN :: 2811 - Cannot Ping Inside Global IP From Inside Network

Dec 18, 2010

I have 2 questions.Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0
 
FastEthernet 0/1 description WAN interfaceip nat outsideip address 200.x.y.253 255.255.255.0
 
GigabitInterface 0/2/0description DMZ interfaceip nat insideip address 10.0.0.1 255.255.255.0
 
GigabitInterface 0/3/0description LAN interfaceip nat insideip address 192.168.0.251 255.255.255.0
[Code]....

View 8 Replies View Related

Cisco WAN :: NAT Inside-to-inside (hairpinning) With NVI On 887VA?

Nov 25, 2011

I'm trying to configure hairpinning on my Cisco 887VA VDSL router, so all LAN users can connect to the server using SMTP port 25 which is also in the same LAN subnet, using external router address, which is assigned to dialer1 interface.Traffic comming in from outside works fine.
 
External IP: 1.1.1.1/29
PC address connecting to the server: 192.168.101.28
Server address: 192.168.101.200
IOS: 15.1.4M1

[code]....

I'm running tcpdump on the server on port 25 and... nothing happens. The traffic is not going through.One thing that I've notices in debug ip packet is this line:

s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt

shouldn't source be internal vlan1 IP - 192.168.101.1?

View 3 Replies View Related

Cisco :: (Duplicate TCP SYN From Inside)

Nov 8, 2011

I'm seeing a TON of traffic in my ASA logs (via ASDM) indicating the following:"Duplicate TCP SYN from inside: (valid internal address of one of our laptops)/50164 to inside: (address on our other subnet, still trying to trace it)/9100 with different initial sequence number"This looks like an attack to me, likely someone's downloaded something they shouldn't have and got an infected laptop. Why it's trying to "call home" to something inside our network is what puzzles me, though.Is there any VALID reason I would see these sort of messages in my log?

View 3 Replies View Related

Cisco :: ASA 8.4(1) Changing Inside To Outside IP

Mar 10, 2011

My exchange server should have an outside interface ending in .82 which is one of public IP's assigned to it.Inside 192.168.168.250 -> Outside x.x.x.82 How can I configure this in ASA 8.4(1)?

View 3 Replies View Related

Cisco :: Can't Telnet From Inside To 891

Jan 26, 2012

I have a 891 router I have been testing some things on. I have been able to successfully telnet to it in the past with no problems. Just yesterday I was trying to set an interface to have an IP of 10.10.10.2 which I realized was an IP I had forgot to exlcude from DHCP and it was handed out to the computer I was using to telnet in. So I wrote in the exlcude commands and did an ipconfig -release ipconfig -renew on my PC that had the 10.10.10.2 IP. After the renew I was given 10.10.10.7 (put in a few more excludes).However the release dropped my telnet connection and afterwards I was completely unable to telnet in, getting the error that says I cannot open the connection on port 23. I had made some changes to my entire config beforehand which had it switch to use a new public IP. I never saved the changes and did a hard reset by unplugging the router to get my old config back and see if I could telnet after that. Still could not get in, same error. Well I went through and remade my entire config to use the new public IP. My 10.10.10.7 PC can access the internet, DNS, ping the router, all just fine. Still can't telnet. I remade my line/vty config and made sure it matched up with a config I had on another router. Still can't telnet. Last thing I did was go in and manually clear all open line connections. All that is left is an idle 0 con 0 line that it wont let me close. Still can't telnet.What the **** is going on with this thing? I am completely at a loss to explain why I cant telnet. It must be something in my ACLs that I am missing?

View 2 Replies View Related

Cisco Firewall :: PIX 525 - Inside / Outside IP Same?

Feb 21, 2013

I have inherited a PIX 525 environment and I need to document a lot of stuff to catch-up on what is going on.  I was gathering IP address information and ran "show interface outside" and "show interface inside" and noticed the same IP assigned to both.  I checked the MAC address and they are different.  This IP is also listed as the Management IP.  So I am sort of confused.  What condition would warrant both the inside interface and outside interface along with the Management IP having the same IP?
 
The PIX and the hosts it comms it monitors do live in a VLAN controlled by a Brocade switch which also is our gateway out.

View 5 Replies View Related

Cisco :: Accessing Inside PAT From DMZ Network?

Aug 3, 2011

Setup as follows:

Cisco ASA 5510
Inside 172.17.101.249
outside 5.5.5.2
DMZ 192.168.100.1

I have an internal server 172.16.1.202 that is PAT to 5.5.5.103 to allow RDP connections. - This works fine from the internet.I have now been asked to allow our guest wireless (192.168.100.0/24 - DMZ) to access this same external connection.We have 2 cisco controllers, with the guest controller "anchored" in the DMZ.I cannot get this to work.Both the DMZ and inside NAT their internet connections to 5.5.5.2.

View 4 Replies View Related

Cisco :: Can't Ping From Inside To Outside Host?

Jul 6, 2011

configure my Cisco ASA5510 (asa version 8.3.1) so that one of the host (e.g.192.168.8.20) behind management interface can ping to the other host (e.g. 192.168.2.246) behind OUTSIDEinterface. I tried modifying the ACLs, NATs and ICMP statement, but still failed[CODE]

View 19 Replies View Related

Cisco Firewall :: ASA5510 Cannot Seem To Get From Inside To Outside

Oct 20, 2011

I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205.  Have a new basic config, nothing special at this time.  I just cannot seem to get from the inside to the outside.  From the outside interface I can ping, so I have a good Internet connection. [code]

View 3 Replies View Related

Cisco WAN :: 1811 - Use Global Ip Inside LAN?

Oct 19, 2011

i have cisco router 1811 , i make port forwarding for my mail server , so from outside i can access to the mail server via my mobile but inside lan i cannot because i use my global ip address at my mobile config .

View 12 Replies View Related

Cisco WAN :: ASA5590 - How To Allow Access From DMZ To Inside

Mar 7, 2011

configuration of my ASA 5590 i am trying to give access to tcp ports 50,000 to 60,000 from DMZ to Inside interface

View 2 Replies View Related

Cisco Firewall :: ASA 5550 Two ACL From Outside To Inside

May 13, 2011

I have  ASA5550 ruuning Version 8.3(1) with inside and outside interfaces as below [code] On the inside : I have a server (10.20.10.36) that need to be accessed from an outside host (Y.Y.131.34) , so I have the below NAT/ACL  rules. [code] is it right that I have to add two ACL entry for outside host to the NATed IP of the inside server , then again add another ACL entry from the same outside host to the private IP of my inside server o get this communication done?

View 7 Replies View Related

Cisco VPN :: 5505 SSL VPN Works From Inside But Not Outside

Sep 20, 2012

I'm setting up a VPN in order to share files between two locations. I'm not sure it's the best solution, but he insists on using his Cisco ASA 5505 Firewall via a clientless VPN. His set-up is a simple residential cable modem (Motorola SurfBoard/TimeWarner) set in DMZ mode, the Cisco ASA, and an Ubuntu server.
 
The Clientless VPN is set up, as are the user groups, and bookmarks. I'm able to browse to the firewall's internal interface IP (https://192.168.1.1) and log in to the Clientless VPN portal, and from there, I can access all of the plug-ins I've configured (CIFS, VNC, etc). The problem is that I cannot connect from outside the local area network.
 
I think it's something very basic that I'm missing, like a NAT rule. I've tried adding some, but they always seem to interfer with the NAT rule allowing users to connect, via the internet, to the Apache web server (port 80) running on the Ubuntu machine behind the ASA Firewall.
 
Like I said, I'm not sure this is the best solution for him. Using an ASA seems like overkill for something that can be accomplished with some software, but he and I are both fans of Cisco, and, as I said, he is adament about using this set-up. If it comes down to it, I'd like to be able to honestly tell him that I exhausted every resource in trying to find a way to make this work for him before giving up and going to "Plan B".

View 2 Replies View Related

Cisco WAN :: 2811 QoS For IPSec VPN And Inside VPN

Jan 23, 2011

We have a remote office that needs to be connected to the central office through a site to site ipsec VPN.At the central site there is a 2811, and at the remote site there is 1841.Most of the traffic will be VoIP traffic and small amounts of data.
 
I need to setup some QoS that would firstly prefer the VPN traffic over internet access and then inside the VPN I need some QoS that will preffer VoIP over data.

View 1 Replies View Related

Cisco Firewall :: DMZ To Inside On ASA 5510

May 9, 2011

I have deployed a read only domain controller in our DMZ as part of a domain-related project.  That machine needs to be able to reach domain controllers on our internal network.  To do so, it should traverse our ASA 5510, going from the DMZ Interface (security level set to 60) to the Inside Interface (security level set to 99).
 
I've created an ACL as following (alerting hostnames in the example):
 
access-list dmz_access_in extended permit ip host dmz.rodc.domain.local object-group int-domain-controllers
 
I've read in various spots that you have to create a NAT when traversing security levels, going from a less trusted interface (DMZ) to a more trusted one (internal.)  Since this link will carry domain traffic, we do not want to create a real translation.  Thus, I created a stand-in NAT that points to its own IP as follows:
 
static (dmz,inside) dmz.rodc.domain.local dmz.rodc.domain.local netmask 255.255.255.255
 
Long story short, the connection fails.  I'm able to access other hosts in the DMZ and on another interface configured with the same security level (which I've explicitly allowed), but trying to go from the less-trusted DMZ to the more-trusted internal fails.

View 12 Replies View Related

Cisco Firewall :: ASA 8.2.5 - DMZ To Inside Access?

Oct 18, 2012

A Cisco ASA running 8.2.5 with 3 interfaces: Outside (Sec lvl 0)/-nternet IP / DMZ (Sec lvl 2)-192.168.8.0/24 / Inside (Sec level 100)-192.168.1.0/24
 
An ACL on the DMZ which looks like this:
 
access list DMZ_IN permit ip 192.168.8.0 255.255.255.0 any
access list DMZ_IN deny ip any any
access-group DMZ_IN in interface DMZ 
global (outside) 1 interface
nat (DMZ) 1 192.168.8.0 255.255.255.0
 
Nat Control  is not enabled (by default) There is no nat exemption, static identity nat or any nat of any kind set up between the Inside and DMZ.The question is:  Will the DMZ network be able to initiate connections to the Inside network or will only outside (internet) access be permitted?
 
A) No, inside access will not be permitted, only Interenet access will be permitted, because there is no NAT exemption or Static Identity NAT between the lower level security interface (DMZ) and the Higher level security interface (Inside), regardless of the DMZ ACL rule with a destination of ANY.
 
B) Yes, access to the Internet and the Inside can be initiated because NAT control is disabled and there is an ACL that permits DMZ traffic to 'ANY' destination.

View 4 Replies View Related

Cisco VPN :: PIX-525 - VPN Works On Inside Interface But Not Outside

Sep 25, 2011

I have a PIX-525 with an UR license.  I was trying to get my VPN to work from my iphone over the weekend but to no avail.  I then changed the interface to the inside to see if my iMac could connect and bingo!  It worked.  I then tried to connect via inside interface with my iphone and it worked.
 
I connected a PIX-515e and, using the same settings, can connect to the outside interface via my iPhone.

Now, to answer the pressing questions, yes I changed the server IP address in my IPSEC client settings to reflect the outside and inside interfaces as I was testing each one.  I was using a preshared secret.  Yes, the secret was entered correctly and they all matched...yes, the tunnel name was entered correctly.  I was using local user database for authentication with username/password (i.e. no certificate authorization to make things simpler for debugging).  I changed the syslog to debugging and I see absolutely no errors when trying to connect my iphone to the outside interface (i.e. turning wifi off so I'm on my 3G data network).  The only thing I see is where my iphone hits the outside interface and it does a teardown (or whatever its called) but that's it.
 
Why would this work like a charm with my PIX-515e and not my PIX-525?  Could the VPN accelerator card in the 525 be at fault?  The 515e does not have the aecellerator card.  why I can esablish a VPN connection on the inside interface but not the outside?

View 6 Replies View Related

Cisco Firewall :: ASA 9.1 Inside To DMZ Access

Feb 26, 2013

I recently upgraded my asa from 8.2 to 9.1 (reconfigured from scratch - didnot convert old config) and everything seems to be working fine except for communication between my INTERNAL network and my DMZ. Here's my config below -
 
ASA Version 9.1(1)
!
hostname ZEPPELIN
domain-name MIWEBPORTAL.com
enable password XXXXX
[Code]...

View 15 Replies View Related

Using External DNS Inside LAN?

Apr 19, 2012

I think the subject gives a good first impression of what I'd like to achieve.Anyway i'll give a little more context.I'm running a Windows Home Server in my LAN and I would like to use it's functionalities (especially the streaming) features from "anywhere" using the same URL.My is a Linksys WRT160Nv3 running on the DD-WRT v24-sp2 firmware.I've already setup the necessary port forwardings, as most of the WHS sites run on ports 80 (http) and/or 443 (https) and my isp is blocking all ports < 1024 (I know it suck, but nothing to do about)Anyway, outside my network (friends home, work, ...) I can access my home server browsing to ://xxx.homeserver.com:10080 or https://xxx.homeserver.com:10443What I want is that this (external) DNS also works when i'm inside my network (so when I'm at home).

Is this possible?I want this because on the home page of the WHS web interface, I have some links (for example to sabnzb, or the webpage of my raid controller, etc etc, but they all point to http://xxx.homeserver.com:These url's (with the external dns) are not working when i'm inside my lan.I'm not an export but i'm quite sure it's a DNS issue.Some more info:When i do an nslookup xxx.homeserver.com I see the (external) static IP that has been assigned to my router.When I do a ping to xxx.homeserver.com I also get a reply from the (external) static ip that has been assigned to my router.

View 3 Replies View Related

Cisco :: ASA 5505 SSL VPN Can't Reach Inside From VPN Subnet

Jul 7, 2012

I've setup a SSL VPN to a ASA 5505 and can connect.

VPN network 192.168.2.0 /24
Inside Network 192.168.1.0 /24
Outside is connected to Router.

I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...

I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...

New at VPN and have survived so far on cisco docs but this problem is evading me.

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa

[Code]....

View 1 Replies View Related

Cisco :: NAT For Ospf Networks Or Any Inside Network

Jul 1, 2012

I have a simple isp topology built in GNS3, for testing (pppoe) dialers:cisco router(R1) connected to my pc network card, doing NAT translations for all the devices in the topology.I know how to configure NAT for spesific ip range, but i can't find out how to configure NAT for networks which are learned through ospf (or any other dynamic way).

View 2 Replies View Related

Cisco :: New ASA5505 Can't Change Inside Interface From 192.168?

Jul 8, 2011

I currently have an out of the box ASA5505 and need to change the internal interfact from 192.168.1.1 to 10.20.3.1 so it fits in with the rest of the network.Tried using the ASDM Startup wizard (via 192.168.1.1) and it just seems to hang on "delivering the commands to the device".

View 16 Replies View Related

Cisco :: ASA 5505 DMZ Do Not Talk To Inside Network

Jul 29, 2011

I have a 5505 with the security plus license. I have a web server in the DMZ that needs to talk with a server on the inside network but it doesn't seem to be able to. Im guessing there is something I need to do to enable the DMZ to talk to the inside network.

Here is the config.

[code]...

View 1 Replies View Related

Cisco :: Multiple VLANs Inside The Same Subnet?

Apr 4, 2013

The network topology is like this. Router with DHCP_Server on it.

VLAN 10
VLAN 20
VLAN 30

My question is how to configure the router so that all devices on all 3 VLANS can obtain IP from the router. I've tried to enable proxy arp on all interfaces and create sub interfaces and trunk them to their appropriate vlans, but I can't specify the gateway on all trunked sub interfaces because I get a warning that addresses overlap. Then I tried to set access-group on all sub-interfaces and still doesn't work.

View 5 Replies View Related

Cisco :: Unable To Access Inside Network

Jun 25, 2012

I have setup a few Vpn clients but no ones able to access the inside network.The clients all get a Ip address from the pool and DNS servers Ip's. But cannot ping or connect to there pc's. I'm thining its somewhere in the ACL.

View 2 Replies View Related

Cisco :: ASA 5510 Ping Between Inside Interfaces

May 4, 2012

I have two inside interfaces (both security level 100) inside and inside110. Inside is 192.168.105.3/24 and inside110 is 192.168.110.3/24. I have a PC on the 192.168.105.0/24 network. I cannot ping the 192.168.110.3 IP of interface inside110.

View 2 Replies View Related

Cisco WAN :: Asa5505 Inside Network Route To Another One

Nov 29, 2011

i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static  route another network i have that network id is 192.168.2.0 . 255.255.255.0.how i can add the route.

View 9 Replies View Related

Cisco Firewall :: 5505 DNS Does Not Resolve Inside DMZ

May 14, 2012

I have a 5505 that currently has inside/outside interfaces and everything is working just fine. I am trying to create a DMZ that will essentially be just for vendors/guests. the DMZ will have full access to the outside (Internet) but no access to the inside. I am using the FW for DHCP, and 8.8.8.8 and 4.2.2.2 for DNS. I currently have 1 laptop in the DMZ vlan, and it is getting a correct IP, and it is showing 8.8.8.8 and 4.2.2.2 in ipconfig. I can ping/tracert 8.8.8.8/ 4.2. 2.2/74.125.137.147(what url... resolved to on a laptop connected to the inside vlan), but I cannot ping nor browse to url.... [code]

View 1 Replies View Related

Cisco Firewall :: Outside To Inside Not Work ASA5505

May 8, 2013

I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is

- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]

View 12 Replies View Related

Cisco Firewall :: Cannot Ping To Inside Hosts From ASA-8.2

Jun 8, 2013

I am struggling to get successfull pings beween asa and inside hosts but couldn't succeed. Done packet tracer result is acl-drop
 
Here is the running config
 
Prem-ASA(config)# sh run
: Saved
:

[Code].....

View 7 Replies View Related

Cisco Firewall :: 5520 / Add NAT For Outside X.x.x.77 Going Inside X.x.x.22 Port 80?

Oct 3, 2012

I have an ASA 5520 Cisco Adaptive Security Appliance Software Version 8.4(2)8 Device Manager Version 6.4(5)206. I am trying to add a nat for outside x.x.x.77 port going inside x.x.x.22 port 80 . the wan interface is .74 with subnet of 255.255.255.248 the rule will add but traffic wont pass in.

View 14 Replies View Related

Cisco Firewall :: 3560x Cannot Communicate From Inside To DMZ

Aug 7, 2012

I have an existing ASA Firewall that is configured with an inside interface and an outside interface - communications is working fine in this configuration.I am trying to add a DMZ interface that will be connected to a 3560x switch - the new ASA and Switch configuration are below. [code] I cannot ping from a computer on the LAN (10.10.10.3) to the IP address of the DMZ Switch on VLAN 510 (10.50.10.1).I can, however, ping from the DMZ Switch (10.50.10.1) to the workstation on the LAN (10.10.10.3)

View 11 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved