Cisco VPN :: ASA 5510 / Direct Specific Ports Down A L2L VPN?
Apr 18, 2013
I have a client that is trying to use an ISP hosted web filtering and content management gateway, the ISP wants to use and L2L ISPEC VPN from the site to their gateway to control traffic. We got the tunnel up today with a test ACL for test client side devices to go down the tunnel, but they are blocking all traffic that isn't being scanned. The problem is they are on an ASA 5510 with 8.2.2. You cannot add tcp ports into the nonat ACL, it errors out when you try to apply the nat (inside) 0 access-list nonat statement. We can define ports to go down the VPN in the interesting traffic ACL with out issue, but there is no way to send just the web ports down the VPN, and allow other ports out the regular overflow interface NAT. I have been looking into 8.4 and seeing if it allows a policy NAT (twice NAT for the VPNs) to define a port on an IP range (IE: nat (inside,outside) source static WEBINSPECT WEBINSPECT destination static any any ) but define that as web ports only.I don't have a test ASA to use, but i'm guessing that l2l vpn will be by IP only and I can't define a port to tunnel.
I have an RV042. I understand and have created the services I need. The documentation is just not clear on how to direct traffic for these services to a specific wan port.
Can this even be done with this router? If so, the how? Use rate control or priority? Does checking a wan port mean that it will only go through that port?
A bit of a straight forward question, is it possible to connect a 5505 to a 5510 direct via a crossover or do you need a switch inbetween capable of trunking?
Currently, my customer has 2 units of Cisco PIX 515E running on Active/Standby mode. As for the heartbeat link, there are 2 dedicated switches placed in between both the Cisco PIX 515E i.e. FW1 --> SW1 --> SW2 --> FW2.
My customer will be changing both the Cisco PIX 515E to Cisco ASA 5510. Now, they are asking me, since they will be using Cisco ASA 5510 eventually, can the heartbeat link be a direct UTP cross cable or must the 2 switches in between still exist?
I remember I have tested this before, few years back, in the event I were to pull out the UTP cross cable that's connecting both the Cisco ASA 5510 Firewalls directly (without any switches in between), the Active/Standby mode still works fine. It doesn't go bad whereby both the Cisco ASA 5510 suddenly becomes Active/Active, and causes network issue.
Are switches required for the heartbeat link in a Cisco ASA environment or can a direct UTP cross cable connection be adequate.
Is the Cisco IOS version specific to the number of ports?IE, would a 24pt 2960 switch use the same IOS version as an 8 pt 2960 switch? Or is there a different IOS for each number of ports?
I wish to set up a ASA5505 with QoS, and to allow specific port numbers to have priority going through compared to rest of the traffic. Eg ports 21, 80, 443. So for example if im maxing out a torrent, it doesnt impact web traffic etc.The current link its connected to is 100mbit/2.5mbit connection..
We are looking to possibly purchase 2 RV042G routers. The main goal is to tie 2 sites together (via the internet) utilizing the site-to-site VPN feature.
Here is where it gets a little tricky. Since this device has 2 WAN ports, is it possible to assign a seperate IP address for each from our ISP? Then, what we would like to do is assign a couple LAN ports to have the traffic flow through WAN1 and the other LAN ports to flow through WAN2. The LAN addressing can be on the same subnet or seperate.
I have a cisco router 881 with advipservices running ios Version 15.2(4)M1 this router is a device that the user will connect company equipement with antivirus and such.is there a way I can force the ports like fe0 fe1 2 3 to accept only devices with specific mac addresses?if not, is there a way for me to apply an acl to vlanX to block everything that's not from these specific addresses?
A company with 20 branches in Rio de Janeiro area. The main servers are in a datacenter located in downtown.Each branch has a RV042 router with firmware version 1.3.12.19-tm (Feb 13 2009 13:03:21) installed.All users in this network have a proxy configuration pointing to proxy.[blah].com.br port 3128.the HTTP/HTTPS traffic should go through proxy only. [code] Some "smart" users were caught using Ultrasurf application, which changes the proxy settings to go through port 9666 or even 443.In other machines, we've found some black proxies [for example: 212.46.27.142 port 8080].
My objective:
- To close all ports in Firewall -> Access Rules section and grant permission only to some selected and specified ports.
- To redirect all HTTP/HTTPS connections to go to proxy's IP address only.
Which Access Rules can I set in these RV042s in order to block and prevent these users to continue abusing this network?The users who were caught using Ultrasurf were fired.
I'm trying to limit the bandwidth on certain ports to 3Mbps and others 1Mbps for a project, however when I do a bandwidth test from a website the speed on the router doesn't seem to change it's as if the changes over telnet aren't actually affecting the swtich's qos settings. I have verified that the policy is attached to the interface and the settings are correct as well.
How do I go about opening specific ports on an E4200?I'm having disconnect issues with a particular game, and the Customer Service drone thinks the ports required for the game aren't open. Nevermind the fact that it's worked fine for 6 months now, and the problem only started a few days ago.I figured I'd humor the idiot and open the ports, but all I can find is information on forwarding, not making sure the ports are open
open specific ports on 1941w Integrated Services Router.This specific router is a wireless VPN router that has a wired module and a wireless module and VPN so I'm getting 3 subnets on my network - 192.168.1.. for the wired connections, 10.100.1.... for wireless LAN connections and 10.100.2... for VPN remote connections.I know that by default all connected computers can access my Linux server data through telnet so the telnet port is open by default, the problem is that I have some other software licensing system on my Linux box that needs to be accessed through port 27000 and most of my users are using wireless connections and can't access that license because post 27000 is closed.what is the comand to open this post or any other port that I need to be open on the wired module, wireless module and VPN or at least poit me to somewhere where I can find all the commands that I can use for this router?
Is it possible to set up a domain specific DNS on an ASA 5510?The problem I am having is that while the site to site VPN is up the DNS servers on the main site are serving ip addresses for the remote site. Main site is on CBeyond and remote is on Time Warner so when doing an nslookup at the remote site it returns one IP address and when the remote site uses google DNS servers it returns another. The main difference being download speed (weird that it relates) as using main site DNS it was 3 hours and google DNS it took 10 minutes. I am looking for a way to serve DNS for the main site domains and for all public domains use google DNS or Time Warner DNS.
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?
I do have one other question first. What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA? Can I do it? Or do i need to be consoled in or connected a different way?
ASA 5510: ASA Version 8.4(1) asdm image disk0:/asdm-641.bin asdm history enable http server enable http 10.1.1.83 255.255.255.255 inside http 10.1.1.82 255.255.255.255 inside
Shouldn't that right there be enough to access ASDM from either host .82 or .83? Because I cannot. But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.
I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]
We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.
How can I hold the public IP on my cisco client VPN NAT session so nobody else can use it? I have a cisco asas 5510 inside is 172.10.20.86 public 166.245.192.90
i have a Ipsec tunnel between a ASA 5510 (Uk) & a router (France) that seems to be going down a specific times during the day. I have attached the sys log as well.
I cannot seem to copy & paste the config onto here for some reason so i have attched the configs, Ipsec details & syslog details from the asa.
When pinging the public IP of ASA F3.2 from the internet a reply is never received because the default route on the 1811 points to ASA F3.1.
How do I get the replies from the 1811 to go back out the same interface from whence it entered ? I am sure the answer is policy-based routing, but not sure how to write the config.
My setup has two firewalls to the internet, one is for all internal users who want to access the internet and the other is an ASA5510 acting as VPN terminaton to remote workers accessing using Anyconnect.
Each of the firewalls has a public interface on the same network (ex. 196.160.100.192/26).
We have a server with a public interface, and all traffic (internal and external) has to access via the public ip (again in the same network as above) and there are different profiles and access levels on that server depending if you are accessing from an internal IP or a public IP.
Well, when users are connected thrugh the VPN, although they have an internal IP address, as they are accessing the server on the public IP, the ASA sends the packets through its external interface (direct connected route) instead of sending it to the default internal gateway that is a "trusted" entry point on the server.
Any way to force the ASA to send that traffic to the internal default gateway instead of sending it to the external (direct connected) interface?
I have no access to the server (appliance under warranty) so I can't make any changes to it...
I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4. I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.ie. The default route goes via (newwan). Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working. I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location. It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection.
I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510
We just got a new ASA5510 (straight out of the box). I’m new to the Cisco but feel we followed the directions. We connect to the management port and have our workstation set to get an ip via dhcp. A cat5 is connected to the management port, that goes into a hub (tested to work) and a cat5 is connected from the hub to the workstation (tested to work). Nothing else is connected. The workstation does not get an ip address. (assigns APIPA) Both the 5510 and workstation have been rebooted.The workstation works otherwise. We have also connected both a crossover and straight through cable from the 5510 to the workstation. We have statically assigned an ip of 192.168.1.2 to the workstation and cannot ping the cisco (192.168.1.1).
I'm setting up a second exchange 2010 server at a DR location and have been experiencing some problems. The two sites are connected via a pair of ASA5510's using the point to point VPN. I want to rules out any possible VPN issues that may be blocking ports and wanted to see if there is an easy way to do this and simply allow all traffic without any restrictions between the two ASAs. I've attached the scrubbed configs here...Ewing is the primary site and DBSi is the DR site.
Our cisco asa 5510 getting sometimes boot and sometimes not. sometimes LED on port comes back if boot and sometimes not. what are the parameter should be check to rectify problem.
I just finished implementing a VOIP install and I am trying to setup some softphones and in order to allow the softphones to work I need to open some specific ports for outbound. I am not a Cisco guy, I am a Windows Administrator that also has to maintain my Cisco infrastructure.
