Currently, we allow /24 into our DMZ as follow: [code] Now, if we need to extended the /24 to a bigger scope ( range of 15 class C networks ) : can I just re-used the static route or should I use a ACL to allow traffic? This is on a ASA5585
View 1 RepliesWe have a firewall service environment where logging is handled with UDP at the moment. Recently we have noticed that some messages get lost on the way to the server (Since the server doesn't seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP. You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command being able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a mismatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message: "%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server are not reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-host down" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem. Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-host down" command didn't wor or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didn't have ANY logging configurations on. Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isn't corrected by any of the above measures we took (like the command "logging permit-host down" which is supposed to avoid this situation altogether).
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,y it does not, and this leaves me unable to contact that machine from the outside.And shoud i also change my access-list?The relevant access-list rule is:access-list outside_in extended permit tcp any object BMMM eq smtp
I am not very familiar with ASA 5520 yet.I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error: [code]
I'm having with my VPN Server on my Cisco 2621xm.
I started by creating a VPN - everything worked great. I assigned the DNS Servers, Domain name, WINS Server so when I connect I'm able to resolve local hostnames on the network with no problem, however, I had no internet access... I then set up a split tunnel access list. Since I've set that up, I'm now able to ping internet based addresses url... but no longer able to resolve internal host names. I can ping the ip addresses, just name resolution no longer works. [code]
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies View RelatedI have a 5585 with version 8.4.2?I have issues accessing the asa using ssh or asdm via remote access vpn. The configuration details are the following:
10.8.251.30 -- addess assigned from the pool
10.8.251.4 -- inside interface address in the ASA
1.The VPN establishes without problems and I can reach any inside resource, also I can ping the firewall.
group-policy pol1 attributes
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pol1_splitTunnelAcl
[code]....
If I allow the direct http/ssh connection to the outside/inside interface, it works perfectly.
I just upgraded my ASA 5585 cluster from 8.2 to 8.4. I also upgraded the asdm .bin from 6.35 to 6.43. after rebooter the cluster, I try to access it with ASDM installed on my computer but it blocked at 17%.I tried to access [URL] but I just an error (with IE & FF) [code] What did I miss in the ocnfiguration ? I precise that I never used the http page, I already had the ASDM installed from another ASA.
View 4 Replies View RelatedI'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies View RelatedI have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
View 2 Replies View RelatedASA 5510
Ver 8.2(5)
I have been looking all over the place for the answer of how to allow clients on an IPSEC VPN to ping from host to host.
I got one request from one of the user to allow his ip to access one public using port www, this needs to be allowed in Cisco PIX, if the below command is correct for this.
Source host : 10.84.11.1
Destination IP : 203.126.112.131
Port : www
access-list acl_outbound permit tcp host 10.84.11.1 host 203.126.112.131 eq www
I recently bought Cisco RV120W-E V01 and insall it in my home (with firmware 1.0.4.10). I want to establish PPTP conection from my notebook (when I am not at home) and to access (through VPN tunnel) to all hosts in my LAN (with no port restrictions). I configured VPN (PPTP) users and I can establish PPTP tunnel from client to RV120W. My traffic to Internet is going through VPN tunnel to RV120W and then out on Internet, and that is fine. What is not fine is that I can not access to any host on my LAN, and that is the main reason why I configured PPTP tunnel. It is not clear to me, when I am reading admin guide, what I have to configure to allow only my tunnel traffic to reach LAN hosts.
View 2 Replies View RelatedI'm just wondering if its possible to ping an IPv4 host using the IPv6 host assuming that the NAT64 has already been implemented?
[code]...
I have created a RA VPN with a 5505 using Anyconnect client. My VPN functions perfectly, but now I am trying to limit access so that only one single host on my network can connect. To do this I tried creating an ACL permiting the host and denying all other traffic, but it does not work it seems every one can connect. how I can limit the outside access to a single host?
View 3 Replies View RelatedBasically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.Example:SA 8.4: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).
ASA 9.0: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I cannot access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.
I'm working on setting up a new ASA 5550, and have run into a question that I hope is easily answered.I currently have 4 interfaces, SL100 Inside, SL80 DMZ1, SL50 DMZ2, and SL0 Outside. I was under the impression that each interface, depending on security level would pass traffic from higher levels to lower, but not allow traffic being generated from SL80 to SL100.
What I would like to accomplish is that any hosts on my SL100 Inside interface can access the "internet" which is connected to my outside interface of the ASA, which was very simple, just a permit internal subnets eq www / https / etc...
My DMZ subnets need to access a few servers on my internal interface, and need outbound access to the world as well. Thinking that all traffic from my lower SL interfaces on the ASA would be denied, I entered a permit IP / DMZ subnet ------> any. This worked great for giving my DMZ hosts access to the internet, but it also permit traffic from the DMZ to hosts on my Inside interface as well.
Trying to allow inbound access from any host outside to my LAN server on port 995. [code]
View 1 Replies View RelatedI just bought pc anywhere software, after instalation in my host pc and laptop(remote) it work very well when I used it in the same network in my Rv camping ground where I have a mobil router with a Verizon broad band card.Later when I come back home where I have a cable internet with a router, I tried to access the host pc but after several minutes trying it said cant find host pc.
View 6 Replies View RelatedI cannot access Internal network to DMZ with public ip but i can access public servers in DMZ with External network.
View 1 Replies View RelatedI recently bought and installed a WAP4410N access point (using PoE) and it's running stable. I was able to access the web-based configuration by using the IP address of the AP (something like 192.168.0.184, coming from the DHCP of my router). However, I'm unable to access the web-based configuration using the host name of the device (mentioned next to the device name in the basic setup section of the web-based configuration). I changed the host name several times, but I can't connect to the device using the host name. Accessing the device by its IP address works, but I have to check the logging of my router to find out which IP address I have to use. Is there a way to access the device using the host name?
(I think my WAP4410N has firmware version 2.0.2.1 installed)
i am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
View 1 Replies View RelatedI have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
View 3 Replies View Relatedi am using a Cisco 1841 with subinterfaces instead (NAT on a stick).From the internet i can access services on public IP being hosted in LAN2. But when i try to access the same services on the same public IPs but sitting on LAN1, it does not work.
View 3 Replies View RelatedCan I Access Network Drives/Printers If The Host Computer Is On The Welcome Screen, Or Does It Have To Be Logged Onto An Account.
View 1 Replies View RelatedWe have gotten our anyconnect clients to connect to the VPN with no issues and verifying credentials with RADIUS. Remote users however cannot access internal resources through the VPN. I know I need to setup an NAT Exempt statement for my VPN Pool to the Internal Network,
View 5 Replies View RelatedI seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. [code]
View 4 Replies View RelatedWe have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?
View 8 Replies View RelatedFor a config on a 2821 router with IOS 15.1?I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0). When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server.
What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?
Related Config Lines to Allow Access to Web Server
NAT
ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable
ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable
ACL
ip access-list extended WAN
permit tcp any host XX.XX.XX.231 eq 443
permit tcp any host XX.XX.XX.231 eq www
[code]....
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 209.114.146.122 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 209.114.146.122 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
View 11 Replies View RelatedHave a new DIR-825 setup at home for coverage to another part of the house. I want to completely restrict clients using this WAP from accessing a couple internal IP's (that I use for work-related things). Restriction meaning filesharing, ping, RDP, etc - everything. Can this be done on the router side?
View 3 Replies View Related