Cisco VPN :: 5505 Allowing VPN Network Access To Specific List
Feb 1, 2012
I've setup my VPN on the cisco ASA 5505 which works perfectly, users from outside can access my internal LAN. Now what i want, Is to create another VPN Tunnel group with another set of IP in which i want to allow them access to one server inside our LAN. See below details of network. [code]
I'm a college student working on a lab involving a Cisco PIX 501 Firewall.
My project involves 1 computer and a firewall. My goal is to use the firewall to allow access to the internet for that computer which uses a static IP 192.168.1.5 and ONLY for that IP address. The firewall is connected to the internet.
I have the computer hooked up to the firewall with the serial and using hyper terminal to enter commands. I think I need to use access lists in order to deny traffic on those ports for those particular hosts. I can't figure out exactly how I need to set it up.
What I need to do is permit internet access for 192.168.1.5 alone. Any other IP should not be able to access the internet.
access-list 1 permit tcp host 192.168.1.5 any eq 80 access-group 1 in interface inside
I cannot access the internet using the computer with 192.168.1.5. The goal is to be able to access with that IP and no other.
I have created a RA VPN with a 5505 using Anyconnect client. My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect. To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect. how I can limit the outside access to a single host?
I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall.I have included my current asa 5505 configuration. [code]
I'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
We have a Cisco wireless infrastructure in place that includes a guest network with its own subnet that is a sub interface of the inside interface on our ASA 5520. There are no routes for it to be allowed access to the internal subnets. So it can only access the internet. This is primarily used by the public, but we have several non employee personnel that we only want to give internet access and force them to access the internal network through our clientless SSL vpn portal or through other internet facing internal resources such as webmail.I have done packet traces from within the ASA and the break appears to be there is no ACL allowing the traffic back into the network once the web resource replies to the request and the traffic is attempting to come back into the network from the web resource. Is that as clear as mud?
I know that this has to be a common problem and a way around this is to allow the guest wireless network access to the internal network but only for the select resources that they require. And that this can be done seemlessly by network specific routes and or alternate DNS entries, but I would like to keep this simple and just allow them to access the web resource, webmail and VPN, from the guest wireless using internet DNS servers without route trickery.
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
I have a Belkin N750 router which I purchased because the box said it had filtering options. I didn't realize that the filtering was only sites that Norton kept track of. There are certain adware sites I know about that I would like to filter. Possible with this router?
I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. What I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network. [code]
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
I'm usually not working with this product, but this is what I'm trying to do.I have 2 internal networks setup on our Cisco ASA 5505 firewall. (not done by me, I'm a new to this product)I'm trying to access a server on one network from a PC located on the other internal network. (preferable through the web gui)When I try "Packet Tracer" from interface "Trust4" it fails on the NAT phase.(Source ip: 10.0.4.99, Destination ip: 10.0.6.99) When I check the NAT rule, it says: Type Source Interface AddressDynamic any outside outside.
1. To specify static IPs for components on my network, is it simply a matter of reserving each component in the DHCP Reservations List portion of the Network Settings page?
2. On the same page, in the DHCP Server Settings portion, if Enable DHCP Server : is deselected, does this mean that only the hosts specified in the DHCP Reservations List can access the network? In other words, is access now restricted to these entries?
3. If the DIR-615 is powered OFF, will the above settings, etc. be lost (similar to a reset)?
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
Abruptly internet access disappeared. It's a router issue, none of the computers here can connect. Further, I can't access the router through a browser - 192.168.0.1 results in a "Firefox cannot connect" message. I've tried resetting the DNS to no avail. I'm typing via cell phone and it's annoying, but I'm willing to try about anything.
We had an ASA 5510 as a firewall in our environment, and there is a requirement to access an ftps server from our location. Currently from the server location they configured everything by allowing our public ip to their server and gave the following details to access ftp.Please suggest which traffic needs to be allowed in our ASA to access the ftp server address as mentioned above. From my initial analysis, it's found that 989 port is also enabled for the access, but that was not mentioned by them.
I have an ASA 5550 at our main site with an external ethernet interface to our ISP for internet access. I would like to allow 10.100.41.x/24 http / https access but block this network's access to all other internal networks including 172.17.x.x,, 10.100.1 - 40.x, and others. I'm having trouble identifying what IP address to use as the desitination for the permit rule for access to the internet. The rule that comes after the permit is to deny 10.100.41.x/24 access to internal network addresses.
just getting started with ASA's. I've got my 5505 almost 100% configured but my port 25 forward to my Exchange server. Currently I've got an access list forwarding all traffic that hits the outside interface on port 25 to my Exchange server (access-list outside-in extended permit tcp any object mail-port-25 eq smtp). What I'd like to do now is say that only port 25 traffic from specific IP subnets gets forwarded. I thought I read that there's a couple of way to do this (from the inside interface, from the outside interface).
Also, what happens to port 25 hits that don't fall within the range I specify? Do they get a disconnect reply or do they just get ignored (no reply whatsoever)?
Edit: ...just to clarify, the allowed IP's I will be entering are the WAN IP's of my AS/AV service.
I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80 -access-list block_port extended permit ip any any -access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
I just bought the 655, mainly for school/Xbox. My parents use it also, but I bought it for myself mainly (shh). I set it up correctly and got connected, but suddenly I wasn't allowed Internet access. The router connects to my laptop, but won't get Internet access. I called customer service and he didn't know what to do. We tried everything he knew and nothing worked. I don't want to return the router cause I read it was very good, but I need internet for school. I have Rev. A and F/W 2.00.
We've got pairs of ACE30s in our data centers set up with active/standby FT. Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity),We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.
We have a Cisco ASA 5520 and Web sense. I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete".
I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS) 192.168.10.9 (ASA 5505 - Piggy backing off of Network) 192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1) ! hostname ciscoasa enable password EeCsulrpu.9LalEE encrypted
Currently using WCCP with squid for content filtering. One of our sites we connect to needs to see the connection coming from our public IP address, not the proxy server IP. I've created a acl in squid for direct lookup, but the website gets angry with the X-Forwarder-Header squid attaches to each packet. Is there a way in a cisco ASA 5505 to bypass wccp for a specific public ip address or url?
I am looking to create an office network with each person having internet access but on a private network. however everyone will need to be able to access a communal printer. would they be able to see it if they were all on a different subnet or would i need to set up vlans?
My Netgear wireless router had been working just fine and then inexplicably stopped allowing wireless internet access. My modem is fine. I contacted my internet service provider, and no luck. I unplugged the router's power source and plugged it back it in. Still not working. I switched the power on and off. Nothing. I do not know what to try next.