Cisco Switching/Routing :: ASA 5505 - Blocking Traffic To Specific IP Addresses

Sep 24, 2012

I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network.  Here is the basic layout:
 
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
 
I'm able to get onto the Internet without any problems.  Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x).  However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9.  I've tried using ACL's but end up killing my Internet connection.  192.168.10.1 is the default route and is how I get out to the Internet.  Is this possible?  Essentially, I'm trying to set up a small Network that guests can connect to.  The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
 
Here is the config:
 
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted

[Code].....

View 5 Replies


ADVERTISEMENT

Cisco Switching/Routing :: Firewall On 1921 K9 Blocking UDP Traffic?

Apr 18, 2012

I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.

Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
 
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
  
Building configuration... 
 
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!

[Code].....

View 2 Replies View Related

Cisco Switching/Routing :: ASA 5510 Routing Specific Traffic To Inside Router

Nov 7, 2012

I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2.  LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line.  On LAN2, I have another router that connects to the Internet, via a Comcast line.  I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line).  I have entered the following lines:

route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
 
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.

View 7 Replies View Related

Cisco Switching/Routing :: 3750 - Only Allow Specific Traffic To VLAN

Oct 10, 2012

Have a quick question regarding inter-vlan routing on a 3750.  Overview of network is ISP --> ASA --> 3750 (acting as my core and default gw).  I have 5 vlan interfaces on my 3750, all w/ 192.192.x.x subnets, a 6th w/ 192.168.100.x, and a 7th w/ 192.168.200.x.  I have enabled "ip routing" on the switch and can successfully ping from subnet A to subnet B as long as both devices are using the correct DG for their vlan, which is the switch.  I have a few ports that are trunked as well that go to ESX hosts which break out the vlans according to the subnet the vm should be attached to.  The ASA is set to nat internal traffic for all the vlans.
 
Now my question:  short of applying an ACL to each vlan interface to block traffic from other 192.192.x.x subnets is there a better way to accomplish this?  I want my 192.168.10.x subnet to be able to reach all the subnets, but don't want 192.192.10.x to be able to talk to 192.192.20.x for example.  I was thinking to create an acl like this:
 
access-list 120 permit ip 192.192.10.0 0.0.0.255 access-list 120 deny ip 192.192.0.0 0.0.255.255 192.192.10.0 0.0.0.255access-list 120 permit ip any 192.168.100.0 0.0.0.255 192.192.10.0 0.0.0.255
 
and then applying this to the interface for the appropriate vlan. 

View 4 Replies View Related

Cisco Firewall :: ASA 5505 NAT Rules Blocking Inside Traffic

Jan 7, 2012

Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]

View 10 Replies View Related

Cisco Switching/Routing :: ASA 5505 - Multiple Outside Statics IP Addresses?

Dec 14, 2012

I have an ASA 5505 with Security Plus License ?I have 5 Static IP Addresses from my ISP?I have the following interfaces. Outside (vlan 2) / Inside (vlan 1) / Guest (vlan 3)For my Vlan3 guest network I have set it up so that DNS must be routed through opendns.org's DNS servers ( for web filtering, etc ) However, its using the static ip that I have plugged into the ASA.
 
What I would like to accomplish is to put my inside interface (vlan1) on another static ip for outside access if thats possible, so that I can route those clients through opendns.org however however giving them more web privlieges than what the guest network is getting.

View 14 Replies View Related

Cisco Switching/Routing :: 5505 Running Out Of Available IP Addresses On Subnet

Oct 7, 2012

I have a customer who has an ASA 5505 that is handling the routing for their internal network. They are running out of available IP addresses on their subnet 192.168.1.0/24. They have dumb switches that don't suppport multiple vlans or trunking & they are only able to connect to one switchport on the ASA. He doesn't not want to purchase any new equipment or rearrange their existing equipment at this time. The customer would like to statically assign IP addesses for 192.168.1.x & 192.168.2.x and have the ASA hand out DHCP addresses for 192.168.3.x addresses. The customer suggested configuring a super subnet. A 192.168.0.0/22 address scheme would provide an ip range 192.168.0.0 - 192.168.3.255 on a single VLAN. I know this is an unconventional way to setup an internal network & I will definitely advise the customer that this should only be considered as a temporary solution until they get more appropriate network equipment.

View 3 Replies View Related

Cisco Switching/Routing :: 1433 - Span Port Configuration To Listen To Specific Traffic Only?

Nov 2, 2011

Is it possible to configure the span(switch port analyzer) port and restrict it to only listen to ingress and egress of TCP/1433 from the source port?

View 2 Replies View Related

Cisco Switching/Routing :: ASA 5505 Dropping Port 443 Traffic?

May 10, 2012

Networking is not my gig, but it has to be at this very moment.  We have an ASA 5505. Let me explain what's going on.
  
On Tuesday I wanted to be able to use the ASDM since there is less room for error.  But we only had a console set up.  So I ran the following commands...
 
in ($config)   
http      of course didn't do anything incomplete command
http 192.168.1.2 255.255.255.255        didn't anything incomplete command
http 192.168.200.254 255.255.255.255 inside 

[Code]....

Everything started working after that.  Everything worked fine all of wednesday and thursday.  Then this morning it stopped processing again.  When I traceroute it gets to the machine that is hooked up to the console and stops.  So I'm guessing its actually getting to the ASA router and being swallowed up again...

View 23 Replies View Related

Routing Of Specific Traffic To Certain Interface?

Jul 7, 2011

I have two ethernet adaptors on my windows machine. OS is Win-XP.I am running ADSL broadband on LAN1 and on LAN2 I am accessing applications on our company's WAN. LAN1 is on 192.168.1.0/24 subnet and LAN2 is on 10.68.104.0/22 subnet.Accessing application through LAN2 involves DNS that is located distantly, therefore routers are also in picture.Problem is that while accessing the application that run on the network of LAN2, I have to disable LAN1. Otherwise the traffic goes on LAN1.

View 2 Replies View Related

Blocking URL Addresses Within Linksys E3000?

Mar 19, 2011

I am getting a little frustrated. I know how to access my router's configuration and under Access Restrictions I am trying to block a URL. However, after I enter the URL and save the settings, it does not block. I have enabled the policy, but still no can do.

View 1 Replies View Related

Cisco :: Blocking Internet Connection During Specific Time

Sep 7, 2012

How to block Internet Connection during specific time.for example i want to block everyday between 8am to 12nn, then 1pm to 5pm.what are the options and better to achieve this kind of policy??

View 6 Replies View Related

D-Link DIR-615 :: Blocking Not One Specific Website But All Websites?

May 16, 2013

In Setup > Parental Control it is possible to set rules attached to specific website URLs. I want to block access from 1am to 6am.

However these rules only apply to websites URL. Is there a way to apply a rule to ALL websites at once? I tried to enter "*" or "*.*" in website URL field but it doesn't work.

View 1 Replies View Related

D-Link DIR-655 :: Blocking Specific Computers On Lan From Websites?

Apr 28, 2011

Is there a way to block specific computers on the LAN from specific web sites by the domain name? All I can see is that if I put, for example, www.facebook.com, it will be blocked from all computers on the LAN, whereas if I want to block only 192.168.1.3 for example, I have to use the IP address through the Access Control, which is much harder and ****e to some "work around" by the user.

View 3 Replies View Related

Cisco Firewall :: 5520 - URL Blocking To Be Applied To Specific Users

Feb 10, 2010

I am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.

View 5 Replies View Related

Cisco Firewall :: RV120W - URL Blocking / Limit Internet Access To 1 Or 2 Specific Websites

Aug 18, 2011

My company has a peer to peer network of 10 personal computers without a server.  Operating systems from Windows XP to Vista.  I've recently installed a Cisco RV120W Wireless-N VPN Firewall.  It's configured in DHCP Server Mode with printers/copiers that have static IPs below the DHCP range.
 
I'm having a problem with certain stations being used for personal networking, shopping, etc. during business hours.  Consequently I would like to limit internet access on these stations.  However, some internet access is required because of online database software that's an integral part of our business.  I've been reading in the Administration Guide about URL Blocking.  Would it be possible to give static IPs to certain stations and then limit their internet access to 1 or 2 specific websites?
 
FYI, I've read about the Trusted Domains and Blocked Keywords but cannot quite understand how to parley this into the solution I need.

View 1 Replies View Related

Cisco WAN :: 881 / Force Ports To Accept Only Devices With Specific Mac Addresses

Nov 12, 2012

I have a cisco router 881 with advipservices running ios Version 15.2(4)M1 this router is a device that the user will connect company equipement with antivirus and such.is there a way I can force the ports like fe0 fe1 2 3 to accept only devices with specific mac addresses?if not, is there a way for me to apply an acl to vlanX to block everything that's not from these specific addresses?

View 4 Replies View Related

Cisco Routers :: WRV200 - Setup Specific External IP Addresses To Get Through Firewall?

Oct 10, 2011

Trying to get a service setup with a third party to access our system (ERP web service to access our ERP data, making data available to customers and vendors via internet).  They require that I setup four external IP addresses to have access through the firewall.  I haven't figured out how to do this. I'm using a Linksys WRV200 router. 

View 1 Replies View Related

Cisco Switching/Routing :: Filter A Specific Host(s) From OSPF Routing Table On A ASA 5550 (ABR)?

May 22, 2013

I am attempting to filter a specific host(s) from my OSPF routiing table on a ASA 5550 (ABR) using LSA prefix lists.  However, when I look at the other routers in that area, I notice that ALL LSA type-3's are being removed (10 hosts are now missing from the routing table). I have verified the filter is working on the ABR, but I can't figure why ALL hosts/routes that were coming into the area are now being filtered instead of the specific one that I want to filter out.
 
Here is the config on the ABR:
 
prefix-list pdm_pl_000 seq 10 permit 206.253.180.137/32
!
!            
router ospf 1
network 10.0.0.0 255.255.255.0 area 0
network 10.150.10.0 255.255.255.0 area 10
network 10.150.252.0 255.255.255.224 area 10

[code]....
 
The 206.253.180.137 host is actually coming from Area '3'.  Am I doing something that is removing all type-3 LSA's?

View 3 Replies View Related

Cisco WAN :: 5505 Routing Server Initiated Traffic From DMZ

Apr 25, 2011

I have setup an ASA 5505 w/ Security Plus with three subnets. The subnets are as follows:

VLANSubnetWAN 10.0.0.80/29LAN192.168.1.0/24DMZ172.30.200.0/24 ]

The ASA is the gateway router at .1 for the LAN and DMZ networks. On the WAN network, the ASA occupies .85 and uses .86 as it's gateway to the Internet. Clients on the LAN are able to access the Internet without any troubles. I have a static NAT setup to map the DMZ server's 172.30.200.81 address to 10.0.0.81. I also have a general NAT that should allow other servers on that network to access the internet, but no machine at all on that network can route outside of 172.30.200.0/24. I used the packet tracer and had it trace traffic coming from the DMZ network to the Internet, and it did not show me any conflicts with any of the access lists or anything else. However, no matter what I do, I cannot initiate traffic from the DMZ and have it go out to the Internet successfully.I attempted to follow the directions in the article PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example; but I have obviously missed something, done something wrong, or perhaps the example assumes something about my configuration that I have not done. See the attached config file that I have scrubbed. I have removed  VPN configuration information and other unnecessary parts of the  config file to make it easier to read. I have setup an ASA 5505 w/ Security Plus with three subnets. The subnets are as follows: VLANSubnetWAN 10.0.0.80/29LAN192.168.1.0/24DMZ172.30.200.0/24 ]

View 4 Replies View Related

Cisco Firewall :: Blocking P2P Traffic On E2500?

Feb 15, 2013

networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?

View 1 Replies View Related

Cisco Switching/Routing :: 1841 / Blocking Broadcast In Network

Oct 4, 2012

I am using 1841 LAN router. Recently some broadcast is happening in our network when some users are connected. I need to block them automatically by detecting who are they.
 
I can block them manually but i want router to detect them and block.

View 4 Replies View Related

Cisco Switching/Routing :: Blocking MAC From VLAN Access 2950

Dec 11, 2011

We have a group of computers on their own VLAN.  A router allows internet access while keeping them sandboxed.  We don't want them accidentally connect to our production network.  We blocked their wireless MACs in unauthorized WAPs.  I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2).  I've been unable to locate the correct method on google, by searching these boards or in the command reference.
 
What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches? 

View 4 Replies View Related

Cisco Switching/Routing :: 802.1d - Can Blocking Ports Hold BPDUs

Nov 25, 2012

Blocking Ports don´t send BPDUs, but they can receive them from designated ports.Blocking ports, can it hold BPDUs?
 
I think that Blocking Ports only receive, analyse and then discard the BPDU.But, what happen if the blocking port receive a better o worse BPDU? in this case, must be the bpdu stored?

View 2 Replies View Related

Cisco :: 2500 Wireless Controller Blocking Traffic

May 16, 2012

I have a Cisco 2500 Wireless Controller connected and controlling 5 Cisco AP's.  Everything works fine except one device.
 
This device is used to connect to our AP wirelessly and then any of the wireless laptops can use programming software to connect to the device and program through it.  I can successfully set up our device on the network and all PCs can ping it, but the programming software refuses to connect to it.  I spent an hour and a half on the phone with the device people who assure me its the network.  So, I bought in a cheap Linksys router, hooked one laptop up to it and configured the device wirelessly.  With that, the programming software works.

what should I be looking for in the Wireless Controller that may be blocking direct connection to the device even though I can ping it?

View 10 Replies View Related

Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
 
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
 
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
 
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
 
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
 
Some background:
 
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
 
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
 
taz(config)# sho ver
 
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
 
Compiled on Fri 07-Jun-02 17:49 by (code)
 
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies View Related

Cisco Firewall :: 2921 - ZBFW Not Blocking Traffic From DMZ

Apr 22, 2013

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
 
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

View 5 Replies View Related

Cisco Switching/Routing :: 881 - Blocking DHCP Requests Of Windows Clients?

Nov 18, 2012

We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.

Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024
We have Win DHCP Server in subnet 192.168.181.024
 
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
 
Here's part of cisco cfg:
 
interface FastEthernet0
no ip address
!
interface FastEthernet1

[Code].....

View 3 Replies View Related

Cisco Switching/Routing :: 2960 STP Mode Blocking For No Apparent Reason

May 30, 2013

I've run into an odd problem - I have connected two 2960s together with copper on FastEthernet interfaces, and STP on the new switch immediately puts that port into blocking mode. I don't understand why this would be, since there is only one connection between the two, in fact, there is only one connection at all on the switch that is blocking.

View 6 Replies View Related

Cisco Switching/Routing :: SG-300 52 Native VLAN Blocking Network Packets

Jun 15, 2013

SG-300 52 native VLAN blocking network packets

View 3 Replies View Related

Cisco Switching/Routing :: 3560 / STP Loop Guard Blocking Vlans?

Mar 24, 2013

I have a strange issue where spanning-tree is blocking vlans through a mesh network.Here is my set up.

2-Cisco  3560's that have two trunk ports set with do1q and a native vlan of 2.  I'm allowing a client vlan (2) and a voice vlan (103) to come over the  trunk. They have a native vlan of 2 so the mesh APs can get an address  through DHCP. Spanning-tree loop guard is also enabled.
 
When connected to the mesh network, the voice vlan is being blocked by spanning-tree. I get the following erros:
 
000129: *Feb 28 19:24:58.289 EST: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/1 on VLAN0103.000130: *Feb 28 19:24:58.448 EST: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/1 on VLAN0103.
 
Eventually  the loop is cleared and the port is set back to a forwarding state from  a blocking state. I don't want to disabled spanning-tree loopguard since I don't want to create a loop. The mesh network is supposed to act as a P2P connection between two switches. As  a test I disconnected the APs from their trunk ports. I then used a  cross over cable to connect the switches and no spanning tree loops  occured. The mesh doesn't have STP enabled on it and should just be acting as an over-the-air connection from one switch to another.

View 1 Replies View Related

Cisco Switching/Routing :: Router 2911 Blocking Single IP Address

Jan 29, 2013

We have a Cisco 2911 router in our company. I didn't set it up myself nor I was involved. I only started working here recently, bit over 3 months ago. I have been given ongoing task which other IT Technicians been struggling for almost a year with a idea that maybe because I'm fresh person in the company I will find a original idea why could this thing not work.
 
Our router have a problem with blocking a single IP address, but not completely  It's hard to explain but I will try my best. Company is hosting their website externally and accessing the host and FTP on the host on daily bases. It is important for the website to work on the internal network in company. It does work sometimes, but from time-to-time the website showing time-out error 118 on any point before Cisco router using both http and https, have tried putting just the IP address( doesn't matter is it on the general network or last ISA server on DMZ ). I am able to connect to the website using any of proxy gates but not directly to the website. I have also tested the connection past the router and I was able to connect to the website without any problems. I am also able to ping the host's address from the router and internal network.

I have eliminated the possibility of not correctly setup proxy or firewall on the network as problem also occur on the DMZ. I have also checked access-lists on the router and firewall rules for Any possibilities and I can't really see a way why would the router do this.

View 2 Replies View Related

Cisco Switching/Routing :: 3560 PoE Blocking Ports In Trunking Between Switches

Apr 25, 2012

I have a connection between switches, There are a 3560 (Gi0/37) and a 2960 (Gi0/1), the  problem is in the port Gi0/37 of the 3560 switch and this is the log. [code]
 
I dont understand what is the problem, actually i have added the command power inline never on the port and the problem is solved, but we haven´t changed configuration.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved