Cisco VPN :: ASA 5510 / Direct Specific Ports Down A L2L VPN?
Apr 18, 2013
I have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client side devices to go down the tunnel, but they are blocking all traffic that isn't being scanned. The problem is they are on an ASA 5510 with 8.2.2. You cannot add tcp ports into the nonat ACL, it errors out when you try to apply the nat (inside) 0 access-list nonat statement. We can define ports to go down the VPN in the interesting traffic ACL with out issue, but there is no way to send just the web ports down the VPN, and allow other ports out the regular overflow interface NAT. I have been looking into 8.4 and seeing if it allows a policy NAT (twice NAT for the VPNs) to define a port on an IP range (IE: nat (inside,outside) source static WEBINSPECT WEBINSPECT destination static any any ) but define that as web ports only.I don't have a test ASA to use, but i'm guessing that l2l vpn will be by IP only and I can't define a port to tunnel.
View 8 Replies
ADVERTISEMENT
Aug 1, 2012
I have an RV042. I understand and have created the services I need. The documentation is just not clear on how to direct traffic for these services to a specific wan port.
Can this even be done with this router? If so, the how? Use rate control or priority? Does checking a wan port mean that it will only go through that port?
View 4 Replies
View Related
Mar 23, 2013
A bit of a straight forward question, is it possible to connect a 5505 to a 5510 direct via a crossover or do you need a switch inbetween capable of trunking?
View 1 Replies
View Related
Apr 2, 2011
Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
View 3 Replies
View Related
Apr 30, 2012
Is the Cisco IOS version specific to the number of ports?IE, would a 24pt 2960 switch use the same IOS version as an 8 pt 2960 switch? Or is there a different IOS for each number of ports?
View 5 Replies
View Related
Mar 18, 2012
I wish to set up a ASA5505 with QoS, and to allow specific port numbers to have priority going through compared to rest of the traffic. Eg ports 21, 80, 443. So for example if im maxing out a torrent, it doesnt impact web traffic etc.The current link its connected to is 100mbit/2.5mbit connection..
View 1 Replies
View Related
Jan 8, 2013
We are looking to possibly purchase 2 RV042G routers. The main goal is to tie 2 sites together (via the internet) utilizing the site-to-site VPN feature.
Here is where it gets a little tricky. Since this device has 2 WAN ports, is it possible to assign a seperate IP address for each from our ISP? Then, what we would like to do is assign a couple LAN ports to have the traffic flow through WAN1 and the other LAN ports to flow through WAN2. The LAN addressing can be on the same subnet or seperate.
View 6 Replies
View Related
Nov 12, 2012
I have a cisco router 881 with advipservices running ios Version 15.2(4)M1 this router is a device that the user will connect company equipement with antivirus and such.is there a way I can force the ports like fe0 fe1 2 3 to accept only devices with specific mac addresses?if not, is there a way for me to apply an acl to vlanX to block everything that's not from these specific addresses?
View 4 Replies
View Related
Apr 18, 2012
A company with 20 branches in Rio de Janeiro area. The main servers are in a datacenter located in downtown.Each branch has a RV042 router with firmware version 1.3.12.19-tm (Feb 13 2009 13:03:21) installed.All users in this network have a proxy configuration pointing to proxy.[blah].com.br port 3128.the HTTP/HTTPS traffic should go through proxy only. [code] Some "smart" users were caught using Ultrasurf application, which changes the proxy settings to go through port 9666 or even 443.In other machines, we've found some black proxies [for example: 212.46.27.142 port 8080].
My objective:
- To close all ports in Firewall -> Access Rules section and grant permission only to some selected and specified ports.
- To redirect all HTTP/HTTPS connections to go to proxy's IP address only.
Which Access Rules can I set in these RV042s in order to block and prevent these users to continue abusing this network?The users who were caught using Ultrasurf were fired.
View 3 Replies
View Related
Feb 5, 2012
I'm trying to limit the bandwidth on certain ports to 3Mbps and others 1Mbps for a project, however when I do a bandwidth test from a website the speed on the router doesn't seem to change it's as if the changes over telnet aren't actually affecting the swtich's qos settings. I have verified that the policy is attached to the interface and the settings are correct as well.
Router
Telnet address: 10.xxx.xx.xx
Password:
[Code].....
View 1 Replies
View Related
Mar 5, 2012
How do I go about opening specific ports on an E4200?I'm having disconnect issues with a particular game, and the Customer Service drone thinks the ports required for the game aren't open. Nevermind the fact that it's worked fine for 6 months now, and the problem only started a few days ago.I figured I'd humor the idiot and open the ports, but all I can find is information on forwarding, not making sure the ports are open
View 3 Replies
View Related
Apr 20, 2013
open specific ports on 1941w Integrated Services Router.This specific router is a wireless VPN router that has a wired module and a wireless module and VPN so I'm getting 3 subnets on my network - 192.168.1.. for the wired connections, 10.100.1.... for wireless LAN connections and 10.100.2... for VPN remote connections.I know that by default all connected computers can access my Linux server data through telnet so the telnet port is open by default, the problem is that I have some other software licensing system on my Linux box that needs to be accessed through port 27000 and most of my users are using wireless connections and can't access that license because post 27000 is closed.what is the comand to open this post or any other port that I need to be open on the wired module, wireless module and VPN or at least poit me to somewhere where I can find all the commands that I can use for this router?
View 6 Replies
View Related
Sep 14, 2011
Is there a way to force a specific speed for the local ports? I'd prefer not to rely on the autonegotiation.
View 5 Replies
View Related
Feb 17, 2013
Is it possible to set up a domain specific DNS on an ASA 5510?The problem I am having is that while the site to site VPN is up the DNS servers on the main site are serving ip addresses for the remote site. Main site is on CBeyond and remote is on Time Warner so when doing an nslookup at the remote site it returns one IP address and when the remote site uses google DNS servers it returns another. The main difference being download speed (weird that it relates) as using main site DNS it was 3 hours and google DNS it took 10 minutes. I am looking for a way to serve DNS for the main site domains and for all public domains use google DNS or Time Warner DNS.
View 3 Replies
View Related
May 14, 2013
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
View 1 Replies
View Related
May 13, 2011
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
and i have user around 20 user and i want to specific user to tunnel-groups like this
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01 password DDD01
So, How can i manag tunel-groups with user?
View 3 Replies
View Related
Mar 16, 2013
I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
View 6 Replies
View Related
Jan 24, 2013
I do have one other question first. What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA? Can I do it? Or do i need to be consoled in or connected a different way?
ASA 5510:
ASA Version 8.4(1)
asdm image disk0:/asdm-641.bin
asdm history enable
http server enable
http 10.1.1.83 255.255.255.255 inside
http 10.1.1.82 255.255.255.255 inside
Shouldn't that right there be enough to access ASDM from either host .82 or .83? Because I cannot. But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.
View 2 Replies
View Related
Aug 28, 2012
I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]
View 3 Replies
View Related
Jan 18, 2013
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
View 1 Replies
View Related
Jan 30, 2012
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
Did I need to call my ISP?
View 3 Replies
View Related
Dec 5, 2011
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
View 3 Replies
View Related
Mar 6, 2012
How to force traffic back out the same interface from whence it entered. Review the following topology.
Internet ---> ASA 5510 ---> Static IP1 ---> F3.1 ---> 1811 F0
|-------> Static IP2 ---> F3.2 ---> 1811 F5 ---> VLAN Int
ASA F3.1 10.1.254.9/30
ASA F3.2 10.1.254.13/30
1811 F0 10.1.254.10/30
1811 F5 10.254.1.14/30
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
View 1 Replies
View Related
Apr 23, 2012
My setup has two firewalls to the internet, one is for all internal users who want to access the internet and the other is an ASA5510 acting as VPN terminaton to remote workers accessing using Anyconnect.
Each of the firewalls has a public interface on the same network (ex. 196.160.100.192/26).
We have a server with a public interface, and all traffic (internal and external) has to access via the public ip (again in the same network as above) and there are different profiles and access levels on that server depending if you are accessing from an internal IP or a public IP.
Well, when users are connected thrugh the VPN, although they have an internal IP address, as they are accessing the server on the public IP, the ASA sends the packets through its external interface (direct connected route) instead of sending it to the default internal gateway that is a "trusted" entry point on the server.
Any way to force the ASA to send that traffic to the internal default gateway instead of sending it to the external (direct connected) interface?
I have no access to the server (appliance under warranty) so I can't make any changes to it...
View 1 Replies
View Related
Dec 6, 2012
We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only.
View 15 Replies
View Related
Aug 12, 2012
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
View 6 Replies
View Related
Apr 19, 2010
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
View 12 Replies
View Related
Sep 26, 2012
We just got a new ASA5510 (straight out of the box). I’m new to the Cisco but feel we followed the directions. We connect to the management port and have our workstation set to get an ip via dhcp. A cat5 is connected to the management port, that goes into a hub (tested to work) and a cat5 is connected from the hub to the workstation (tested to work). Nothing else is connected. The workstation does not get an ip address. (assigns APIPA) Both the 5510 and workstation have been rebooted.The workstation works otherwise. We have also connected both a crossover and straight through cable from the 5510 to the workstation. We have statically assigned an ip of 192.168.1.2 to the workstation and cannot ping the cisco (192.168.1.1).
View 2 Replies
View Related
Jan 22, 2013
I'm setting up a second exchange 2010 server at a DR location and have been experiencing some problems. The two sites are connected via a pair of ASA5510's using the point to point VPN. I want to rules out any possible VPN issues that may be blocking ports and wanted to see if there is an easy way to do this and simply allow all traffic without any restrictions between the two ASAs. I've attached the scrubbed configs here...Ewing is the primary site and DBSi is the DR site.
View 2 Replies
View Related
May 9, 2011
Our cisco asa 5510 getting sometimes boot and sometimes not. sometimes LED on port comes back if boot and sometimes not. what are the parameter should be check to rectify problem.
View 3 Replies
View Related
Dec 1, 2011
I just finished implementing a VOIP install and I am trying to setup some softphones and in order to allow the softphones to work I need to open some specific ports for outbound. I am not a Cisco guy, I am a Windows Administrator that also has to maintain my Cisco infrastructure.
View 3 Replies
View Related
Dec 16, 2012
Trying to get port forwarding going using ASDM 6.4 on a Cisco 5510
I want to forward port 25/Smtp to 192.168.1.10
I have added all the rules as outlined in the link below. [URL]
But when running an open port checker on [URL]
It says the port is closed, I have noticed that under Access Rules under the Hits columns it says 52 ?
View 7 Replies
View Related
May 22, 2012
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
View 1 Replies
View Related