Cisco Security :: ASA 5510 - Internet Connections Dedicated VPN Traffic

May 22, 2011

We have an ASA5510 and we're currently using 1 internet connection to handle our site-to-site VPN connection and our internet traffic. We have a second internet connection on hand. What we would like to do it use BOTH internet connections: (1) will be dedicated to our VPN connection, (1) will be handling all our internet traffic. How can we get this setup? We're running Software Version 8.4(1)

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 - Get Traffic Through Box To 4 Dedicated Servers

Apr 17, 2013

Recently moved into the hardware firewall space and have a ASA 5510. Having some issues trying to get traffic through the box to my 4 dedicated servers. all the servers have static IP's and are connected to a private switch into one of the ethernet ports on the firewall(0/2). Public internet connection into another(0/0). 1 of my servers has a connection to the management port, and the public switch, and this is the one im trying to do the configuration on.
 
Im unsure what to set the IP address of my "outside" interface as. need to have RDP,FTP, HTTP traffic going to each of the 4 servers independently, pretty sure i can get the rules in place to allow this, but cant seem to get any traffic to go through the firewall to any of the other 3 servers.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Dual Internet Connections / Routing DMZ Traffic

May 29, 2012

I am having an issue when implementing an additional internet connection on our ASA 5510. The new connection is "TWCOutside".  I was my understanding that static NAT would force our externally hosted servers (Email, PPTP VPN, and FTP) to continue to utilize the "ATTOutside" connection.  Our remote site-to-site VPN traffic has two static routes configured to force it to continue to use the ATTOutside connection.When I switch the metric on the 0.0.0.0 0.0.0.0 98.103.148.145 route to 1, and change out default dynamic xlate to use "TWCOutside", it "mostly" works as expected.  Email, the PPTP VPN server, and our remote site-to-site VPN server continue to use the ATTOutside connection as designed.  Our end users begin using the new connection for thier internet browsing.
 
However, our FTP server, in the DMZ, completley loses outside access.  It cannot ping to 8.8.8.8, or resolve DNS queries.  The is a static NAT statement for this server, as it is using one of our dedicated public IP addresses.  I need it to continue to do so for the next few weeks.Effectivley, we just want to give our end users internet browsing on the new TWC link, but leave everything else on the old ATT link for the time being.  The only problem I am having is the DMZ connection.  I am currently "rolled back", so no one is using the new connection until I figure this out.  I can easily switch the metric and dynamic PAT back to using the TWC connection, but I need to have some things to try with the DMZ before doing so. [code]

View 2 Replies View Related

Cisco VPN :: ASA 5510 Internet Connection Dedicated VPN

Mar 4, 2012

I have an ASA 5510 with a second internet connection on its way.  I would like to have one internet connection dedicated to my Site-to-Site VPN traffic and the other left to handle public internet traffic.   I know I can do this with a static route but I noticed today the "tunneled" option.  How exactly does the tunneled option work and would it work better for my specific situation?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 With 2 Internet Connections

Apr 5, 2013

Is it possible to have a Cisco ASA5510 with two internet connections performing as follows.

Internet A---------All traffic except LAN to LAN vpn
Internet B---------LAN to LAN vpn

I cant find anything definitive on google to say it will or wont, i know it cant do policy based routing.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Two Internet Connections

Aug 1, 2011

We are in the process of getting two new connections pulled in that I would like to utilize in the following configuration.
  
DS3 - 45/45 I would like to use this circuit for all of our servers to NAT out of as well as our VPN tunnel to our remote site.  It will be much more reliable than our cable line.
  
Cable Internet - 50/10 I would like to use this for all internet traffic that users generate.  I would like to be able to fail over to the DS3 if this line goes down.
  
To get all traffic go out the cable line would take a dynamic NAT rule and a default route.  How would I automate a failover to the DS3 with a backup route and dynamic NAT rule? 
 
I understand that if the DS3 goes down it will take manual intervention to bring the tunnel back up and servers with static NAT will need reconfiguration.

View 1 Replies View Related

Cisco Firewall :: Cannot Get 5510 ASA To Reach Internet Traffic

Nov 30, 2012

I have been at this for the past few hours now. I just cannot get this device to pass through traffic to the internet. Here is the basic topology:
 
 Default Gateway (ISP): 208.118.125.129/29
IP of outside int (e0/0): 208.118.125.130/29
ip of inside int (e0/1): 10.1.1.1/24 
 
igniteCSGfw(config)# sho run
: Saved
:
ASA Version 8.0(4)

[Code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 / QOS For VOIP Traffic To And From Internet

Apr 20, 2011

We are using an ASA 5510 as our gateway to our ISP.  All of our VOIP traffic is sent to an Internet SIP provider for our outbound calls.  Our pipe to the Internet is 100Mbps metro ethernet.  I am trying to find a way to provide QoS for this traffic so that I can reserve 20Mbps of the available 100Mbps pipe for VOIP traffic.From what I've been able to figure out so far I would use a combination of priority queues and traffic policing.  However, it seems that this is nearly impossible to accomplish because I cannot control the remote device that my ASA connects to because it is the ISP device.  I could police traffic on the inside interface of the ASA.  However, lets say that a client on our network starts downloading from an Internet host and the downloaded traffic saturates my Internet connection.  I could police this incoming (from the Internet) traffic on my outside interface of the firewall.  This would drop the packets but the bandwidth would have already been used by the time it reaches my firewall.Would the fact that I'm policing incoming traffic on my outside interface cause the sender to throttle down their transmit rate because packets are being dropped?  Would this achieve my goal of guaranteeing available bandwidth for my VOIP traffic by not allowing other traffic to saturate the link?Most documents I find regarding this topic describe providing QoS for VOIP traffic traversing a VPN connection in which case you could configure both end devices.

View 1 Replies View Related

Cisco Firewall :: 5510 - CSC SSM Slows Down Internet Traffic

May 17, 2011

We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this, It the computer is bypassing the CSC, it gets This was done when there's very low traffic on the LAN and CPU is low usage on the CSC. The CSC has been re-imaged also but still doesn't solve the problem.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - 2 Internet Interfaces Without Traffic

Jan 15, 2013

I need to route to sub nets form 2 different ASA interfaces. The ASA also has an outside interface works like gateway for internet access. Here is my configuration:

ASA Version 8.2(1)
host name ICE3
names
interface Ethernet0/0
name if outside
security-level 0
ip address 201.199.xxx.xx 255.255.255.248
[Code]....

View 9 Replies View Related

Cisco Firewall :: 5510 Split Traffic Between VPN And Internet Using Different ISPs

Aug 25, 2011

What we are trying to accomplish here use two ISP's (one cable and one T1), use the Cable line for site-to-site VPN and use T1 line for all internet traffic. We currently use the following configuration: Cisco 2820 routers terminating the T1 -> HP switch -> Cisco AS 5510 port 0 -> port 1 to LAN switch (Nortel 5510)We want to force all VPN traffic (using 10.0.0.0/24 subnets - 10.0.1.0, 10.0.2.0, etc) through a cable connection, perhaps on port 2 of the ASA, then all non VPN traffic goes to the T1.

View 1 Replies View Related

Cisco Firewall :: 5510 Load Balance For Internet VPN Traffic

Jun 28, 2011

We are now using a ASA 5510 firewall and we would like to configure a internet load balance traffic in our environment.For example, some IP addresses go through local gateway for internet routing but some address go through VPN tunnel gateway.

View 1 Replies View Related

Cisco VPN :: ASA 5510 - How To Enforce User Internet Traffic To Tunnel

Jun 4, 2011

here is my situation:
 
home users ------ internet ------ ASA 5510----- CORP LAN
 
we have anyconnect VPN and remote Ipsec VPN, i think the solution should works on both of them. my question is : "How to enforce home user internet traffic to VPN tunnel ?" we have "split tunnel" to pass only ""interesting traffic" to VPN tunnel access CORP LAN. but now , i need enforce all user traffic (internet +CORP LAN) pass through VPN tunnel. so far , i did what i know :

1. remove "split tunnle" from group-policy

2. the address in "remote VPN user address pool" are could be NAT/PAT through ASA5510

but i don't get that why it doesn't work.

View 9 Replies View Related

Cisco Security :: ASA5520 Send Traffic To SSM Module / Internet Connection Becomes Slow

Jun 8, 2011

I have installed CSC-SSM-10 on cisco ASA 5520.I am facing two problems

1 : When I send traffic from ASA to SSM module then internet connection becomes slow and sometimes internet session disconnected.
2. When I try to manual update then following erros shows please see attachment .

View 6 Replies View Related

Cisco VPN :: ASA 5510 With Dual ISPs Split Traffic Between VPNs And Internet

Jul 1, 2011

I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
 
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
 
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
 
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
 
ASA 5510, SSM-10      1GB RAM
ASA version                8.4(1)
ASDM Version            6.4(3)
Context Mode            Single
FW Mode                  Routed
License                     Security Plus

View 5 Replies View Related

Cisco WAN :: 3930 Comcast EDI Ethernet Dedicated Internet Setup

Dec 22, 2012

We have purchased Comcast fiber EDI services. They run a fiber to our office and connect to a Ciena 3930 switch. The speed we have is 30 down and use for Internet. Comcast provide a /30 and /29 address. Do I need an additional router to route /30 to /29?  I only have a PIX firewall.

View 5 Replies View Related

Cisco Security :: How Many Default Context In ASA 5510 Security Plus Edition

Aug 8, 2006

ASA 5510 security plus edition will it support active/active failover. and does it support context with securiyt plsu edition. and how many default context do we get with asa 5510 security plus edition.

View 3 Replies View Related

Cisco Security :: PIX 535 Maximum Connections

Jul 5, 2011

We have a PIX 535 with unlimited lisence, it has 1,048,953 in use connections because the timeouts have been changed to 24 hour. I am addressing this issue but was wondering why its so high when the max concurrent sessions is supposed to be 500,000 as listed in the product spec. Also when it reaches it max and cannot allocate a connection what PIX syslog error message number would it send?

View 1 Replies View Related

Cisco VPN :: Stops Forwarding Traffic On Subsequent Connections 861

Mar 23, 2011

I have a very strange problem on 2 (independent) Cisco 861 routers in different places.They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:

* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.

* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However,  no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.

* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing. [code]

View 17 Replies View Related

Cisco WAN :: Have 2 ISP Connections On ASA 5510?

Sep 18, 2011

1 isp connection which splits into two. One plugs into 5510 with ouside ip and the other plugs into the other 5510 with outside ip address.
 
see diagram below:
 
Router routes are set as:
 
ip route 0.0.0.0 0.0.0.0 10.x.x.1 
##
ip route 10.x.x.0 255.255.255.0 10.x.x.2
   
We will be introducing another isp into our network. We want to remove our current isp and switch. But we dont want to do the cut overnight. We will migrate into our new isp. so for a while we will have both isp connections.

What i am thinking of doing is taking one of the ports on 10.x.x.1 and configuring it for our replacement isp network and the same for 10.x.x.2. Will that work?

Can i have ASA 5510 configured for 2 seperate ISP connections? What kind of route will i set on my router?

View 1 Replies View Related

Cisco VPN :: ASA 5510 - Dual WAN Connections

Nov 29, 2011

Context:1- My company has one ASA 5510 configured with Site-to-site VPN, Ip sec Cisco VPN and Any Connect VPN.2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the Na Ting for internal users to go out.3- A second link is coming in and we will be using ISP 2 to load balance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).4- A router will be deployed in front of the ASA to terminate internet links.5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2). Questions:How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?. Finally, which device should be doing the Na Ting? The ASA just like now or move Na Ting to the Router?

View 9 Replies View Related

Routers / Switches :: Increasing Connections And Security?

Jan 24, 2012

I'm not sure about my title, it;'s the best I could come up with. I have approximately 7 computers, two iPhone, and iPad, wireless printers and a network attached storage. Most are connected over via wifi, the exceptions being one pc, the nas and a printer. I plan to add six more devices plus some ip cams. The way the router or network is configured whenever a guest connects to our wifi they can "see" our computers. I haven't been able to tell if they can see the files or just the name of the computer. Question 1: How can I tell if the guests are able to access the data on our computers or networked drive? Question 2: If I add a switch will I need to do anything special with regard to security?

View 1 Replies View Related

Cisco VPN :: ASA 5510 - Stopped Accepting Connections?

Jun 7, 2012

My ASA 5510 has stopped accepting connections today.  I cannot connect with ASDM either.  ASDM hangs at "Contacting the device.  Please wait" and does not return an error or time out.  I can telnet into the device but my CLI knowledge is elementary at best.  I'm trying to determine how to view or enable the correct logging and view via CLI.  I have looked at the client log from one of the users that cannot get in and have attached it.  It looks like Phase 1 is not completing but I'm not sure how to view what the ASA is logging.  I have run debug cry isa and debug cry ipsec but it just returns to the prompt and I'm not sure what I should expect to see or what command to run to view the results.

View 3 Replies View Related

Cisco VPN :: ASA 5510 - Client Connections Getting Dropped

Mar 30, 2011

I have some remote locations that connect to my ASA 5510 cluster (Aktive/Passive) using the Cisco VPN Client, from which the connection gets disconnected at random intervals (could be 5 minutes, but sometimes after 15 minutes). However, some other remote locations do not have this problem. All locations have the same VPN client configuration (distrubited by pcf file).

I already disabled isakmp keepalive on the ASA but this did not work. If I read it correctly, the Cisco vpn client logging shows that the ASA initiates the ending of the connection.
 
Code...

View 2 Replies View Related

Network TCP Connections Attempted By Service Files - Security Risk?

Mar 10, 2012

My AV often reports my windows 7 ultimate 64 service files, such as winmon.exe or or service.exe requesting opened TCP connections along with a number of .DLL filkes, and then times they are flagged as heuristic behavior modification, however i know many of those are undeletable, due to windows security replacing them as soon as they are noticed to be missing and in another thread it was also indicated that these must be deleted from three places at once almost to actually prevent those from being instantly replaced, this explains maybe why i get this repeatedly immediately after boot up, but after five or some times it slows down to now and then.still quite a hassle to stop on start up.

View 2 Replies View Related

Cisco Firewall :: Teardown TCP Connections With Kaseya Server (ASA 5510)

Sep 12, 2011

normaly the agents has a persistent connection with the kaseya server (monitoring server),The connection  re-established afther the next check-in of the agent, instead of a persistent connection. Now we need to wait to the next check-in before we can connect to the agent. This is a big performance issue, the check-in time of the agents are 3 minutes.I see a lot of the following messages in de syslog:
 
6Sep 12 201120:27:48302013customer site527985721Built inbound TCP connection 5418112 for outside:(customer site)/52798 (customer site/52798) to inside:kaseya server/5721 (outsideIP/5721) 
6Sep 12 201120:29:09302014customer site527985721Teardown TCP connection 5418112 for outside:(customer site)/52798 to inside:kaseya server/5721 duration 0:01:21 bytes 45 TCP FINs 
  
I create a normal static nat rule from the kaseya server to a public ip address, and i define the protocols in de secutiry policy.ICMP has been allowed.cisco asa details:System image file is "disk0:/asa824-k8.bin" This platform has an ASA 5510 Security Plus license.It's look like a connection time-out between the agents and our cisco asa.

View 8 Replies View Related

Cisco Firewall :: ASA 5510 / Dropped Packets In VPN AnyConnect Connections?

Dec 5, 2012

Our Cisco ASA 5510 running 8.4(4)1 just started dropping packets and our AnyConnect clients are seeing horrible performance.  The system is extremely slow compared to just a couple days ago.Nothing has changed on the system.  I can post the configs if needed.
 
firewall# sho int
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
    Input flow control is unsupported, output flow control is off
    Description: == WAN Interface ==

[code]....
 
I have done a "sho vpn-sessiondb detail svc" and I can see the dropped packets of the individual users, but cannot see why the packets are still dropping.how I can correct this and restore speeds?

View 1 Replies View Related

Security / Firewalls :: Review Incoming Remote Desktop Connections Historically?

Apr 20, 2013

I was at my computer when the desktop appearance and taskbar changed. I immediately opened task manager to see what program might have caused this and didn't see anything out of the ordinary. Then about 2 minutes later my desktop changed back to what it normally is. I then went and disabled remote desktop connections... I think that someone may have accessed my pc remotely, buy I wasn't able to catch them at it. Is there any way to review incoming remote desktop connections historically?

View 3 Replies View Related

Cisco Firewall :: Traffic Limit For Internet Traffic Usig ASA 8.2

Nov 27, 2012

I am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation  
 
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is  applied to outside interface (called internet in my case)  for incoming traffic
  
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
  
service-policy Internet-policy-web interface Internet
 
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Allow Traffic From DMZ To Internet And Block Traffic?

Apr 29, 2012

I have an ASA 5520 with the below config
 
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
 
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
 
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
 
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
 
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?

View 2 Replies View Related

Cisco Firewall :: 5510 - Connections Routing Between Two Internal ASAs Fail

May 19, 2012

We have a site with two inbound circuits, one for internet and one for our MPLS.  Each circuit is being terminated by a 2921 Router and matching ASA 5510 Firewall.  For the internal network, the Internet ASA's inside interface (172.16.0.1) is the default gateway for all hosts.  OSPF is the routing protocol between all the routers and ASA's and routing is working.  In fact, ICMP is working as well.  From an inside host (172.16.0.81), we can ping anything on the MPLS network.  But when I try to use telnet (for example), the connection fails.  If I add a route to 10.10.10.0 to the host, or re-configure the host to point to the MPLS ASA (172.16.0.254) as it's default gateway, connections will establish.
  
Both ASAs are running 8.4(3), and have the following commands:
 
same-security-traffic permit intra-interface
interface Ethernet0/0
nameif outside

[Code]....

And from the MPLS nodes, I can see a tcp request is made. 

View 6 Replies View Related

Cisco :: ASA 5505 Same Security Level Traffic?

Jun 27, 2011

I have ASA 5505 that has two inside security level 100 interfaces and an outside interface.On the inside interface we have corporate domain subnet with DC and 30 hosts. On the inside2 interface I have few servers that runs specific application important for our business needs, and dumb terminals that are connected to them.I have a laptop user that periodically needs access from our corporate vlan1 to one of the servers on inside 2 vlan via remote desktop or some other remote viewer client,so he can view reports etc.I have enabled same-security-traffic intra-interface command and added nat exempt command pointing specific laptop host machine to that specific server.

Now my main concern is regarding security. This user carries his laptop home, browses the web, puts USB memory, and you can imagine how this machine is susceptible to all kind of malicious software. Inside2 vlan is very important and until now it has been a very secure environment.This is no longer the case since all traffic between this inside sec level 100 vlan host and corresponding inside2 sec level 100 server is now allowed because of the enabled same level interface traffic and nat exemption rule. Do I have another solution that would allow communication based on just a tcp port number for this host? Something like port forwarding from outside to inside Vlan interface?

View 10 Replies View Related

Security / Firewalls :: How To Block Traffic From A Lan Ip

Jan 16, 2013

when I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved