Cisco VPN :: ASA5505 Random Destination Port And Implicit Rule
May 4, 2012
I have an ASA5505 that I am setting up behind another firewall. The external firewall has all ports forwarded to the ASA which is fine as I can see the traffic getting to the ASA in the log. However when the traffic trys to return to it's destination the ASA assigns a random port number. For example for VPN the source port is 443 but when the ASA trys to go back to the public IP addess it is using port 52857 which is obviously blocked on the external firewall. The Packet Tracer also says the the traffic is blocked by an implicit rule on the ASA which denys all ip traffic however I can't delete this rule and as I test I have created another rule allowing all IP traffic.
I got a Global Implicit Rule problem with my Cisco ASA 5510. Here's my configuration : url...I created a PAT translation so that my web server (group LAN Network) could be accessed from the Internet.Although every rule seems to be ok, i got a "tcp deny access" when i try to telnet my public IP on port 80 (ping is ok).
Why is there only one Global Implicit Rule, and not one for each Interface (like in the older versions of ASA OS) ?
I have found this in documentation (the same statement for version 8.3 and 8.4):
" Access Control Implicit Deny #All access lists (except Extended access lists) have an implicit deny statement at the end, so unless you explicitly permit traffic to pass, it will be denied. For example, if you want to allow all users to access a network through the ASA except for one or more particular addresses, then you need to deny those particular addresses and then permit all others. "
Does it mean that now all ACLs shoud have created manualy deny ip any any rule at the end ? I have migrated one ASA to version 8.3 (no host connected and I can't test it) but after migration I don't see this rule at the end of all ACLs. Does it mean that all traffic will go throu ACLs on all interfaces ? I didn't find any information about this change in documents describing new software features [URL]
I picked up a rather nasty bit of malware which resulted in a format and installation of Windows Ultimate 64, all well now except i cant get the wireless to work, downloaded assorted drivers from the dell support directory but to no avail, so questions are-:am i missing something obvious (windows function button for wireless does nothing)what is the correct driver for the N5040 and are there any tricks in getting it to work.
I've setup a site to site vpn on an ASA 5510 using ASDM (as I have many times before) and the tunnel appears to be up but I am not able to pass traffic. When I run the packet tracer from my inside network to the remote destination network, it shows that it is blocked by the implicit deny ip any any rule on my inside incoming access list.
we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver Cisco Adaptive Security Appliance Software Version 9.0(2) Device Manager Version 7.1(2) Compiled on Thu 21-Feb-13 13:10 by builders System image file is "disk0:/asa902-k8.bin"
I have configured SPAN in cisco 3750 switch as below mentioned. but the destination port protocol is down.switch(config)#monitor session 1 source interface gigabitethernet1/0/1switch(config)#monitor session 1 destination interface gigabitethernet1/0/11 ingress vlan 1
When trying to configure ERSPAN on a ASR1006, I'm not getting any traffic on the destination port. ERSPAN flavour is LOCAL SPAN, as described in:
[URL]
Configuration used, is the following:
monitor session 1 type erspan-source no shut source interface GigabitEthernet0/0/2 destination erspan-id 10 ip address 10.10.10.1
[code].....
Apparently everything is configured in the proper way, however I’m not getting any traffic in the destination port. Also I’ve noticed the following in the details from ‘Session 1’:
i have configured SPAN over cisco 2960 to monitor source port traffic but after configuration i dont able to get response from destination port as my NMS is attached on destination port so i lost its web interface.
Configuration is as under.
monitor session 1 source interface gigabitEthernet0/5 (Source Port on Vlan 100) monitor session 1 destination interface gigabitEthernet0/1 (Destination Port on Vlan 200)
my WRT54G has been configured to block any and all incoming connections.continue to have disabled all port forwarding, port triggering, the DMZ, and QoS, via the applicable tabs under the [Applications & Gaming] Panel. The WRT54G continues to be configured to operate as a Gateway.No static routes are defined. The routing table show four entries, none of which are remarkable or match in anyway the partial address identified above.So I am under the impression that my WRT54G should be ignoring everything from the WAN-side.Even pinging the WAN-side of my router from the outside internet times out.My WRT54G ver 6 is at firmware level 1.02.8, which, as far as I can tell is the latest issued by Cisco.I am completely perplexed how such a connection is being established, and do not know if it is or has the potential of causing any harm. My own research indicates port 520 is typically used for RIP protocol, but I have almost zero knowledge of such.
In s SPAN session , normally the destination prt is used for monitoring purpose only. But could destination port be used to access the equipement or PC connected to that port , for a 2960 LAN BASE image switch .
Basically I am trying to use Wireshark to do a packet capture on a Nexus 5010. I want to do a monitor session on on the switch so I can capture from a source port to a destination port on the same switch. I can configure the source port but when I go to configure the destination port I get "ERROR: Eth102/1/4: Configuration not allowed on fex interface". I have tried to reconfigure this port as a switchport but "switchport mode access" command does not take. I don't want to make any changes to any other ports but this one.
I accidentally setup two schedule rules both with the name of "Log". When I highlight either rule, and try to delete either, I get error "The rule is being used by another rule and cannot be deleted" How do I delete?
We have computers that are connected to a switch stack of 3 - 3750 switches. Randomly, we experience pcs that fail to communicate on the network. At first thought I figured the port went into err-disabled state, however the port shows up fine on the switch and moving the pc to another port on the same switch in the stack fails to fix the problem. To add to the confusion, if I immediately connect a different machine into the problematic port the newly connected machine has no issue and operates normally. Connecting back the first machine still results in no connectivity.
The only way to gain back network connectivity is to move the pc to a different switch in the stack. shut/no shut doesn't work.The IOS the stack is running is 12.2 and the switch ports are configured using cisco port macros.
Lately I've noticed some strange behavior on some of the switch ports. When I go through the logs my SGE2000/2010 stack, I see that some of the ports randomly lose their connection:
I'm having trouble locating the source of the problem. The devices connected to the port are servers and desktops. This happens frequently throughout the day, but not always on the same ports. What could cause the random drops?
I have a remote site that is using port 4500 for within the isakmp phase of creating a IPSEC tunnel, but for some reason it is also using random port numbers constantly (in bold): [code] These are all blocked by the firewall when trying to communicate with our central router in the trusted network. The central router does not display the same symptoms, it only uses port 4500.Is there a way of preventing the remote router from using random port numbers and only allowed to use 4500??
The problems looks like this: I'm able to browse the web without any problems until at random points of time - might be 2 hours after I turn on my PC or 5 or even half an hour the port 80 gets blocked - actually more like it hangs it self. As whatever I try to open i get "waiting for response" going and going. It's not even returning "page not found" error or anything. To top everything all other ports work fine - i can use https, ping run tracert - no problem there.
I've spend two days looking for some answer on the web but came up empty. I've scanned for malicious software with ad-awar and malwarebyte anit-malware - nothing came up. After restart of the pc everything comes back to normal but its frustrating needing to do that every now and then.
My home network looks like this: I have some broadband modem that is connected to local wifi TP-LINK router (Model No. TL-WR340G/TL-WR340GD). There are four devices using this connection - two pc's (laptops), android phone and android tablet.
Network running about 60 computers, most of which are running windows 7 professional. Some are on a domain, some are not.At (seemingly) random times, some computer on the network will lose the ability to browse websites (including the web interfaces of networked devices). I can't identify what circumstances cause this to occur. I only find out about it when someone calls me.From the affected computer:I can ping sites I can ping our Cyberoam UTM (which acts as our DNS, DHCP, and firewall)disabling/enabling connection doesn't fix the problem releasing/renewing ip doesn't fix the problem flushing dns doesnt fix the problem uninstalled antivirus on two test machines, problem still randomly manifests.replaced the Cyberoam with newer model users have claimed that if they wait a long period of time (40+ minutes) the problem sometimes resolves.rebooting the computer resolves the issue until it randomly occurs again changing the computer's mac address also resolves the issue until it randomly occurs again.
My syslog is full of %ASA-4-106023: Deny tcp src outside:---- by access-group "inbound-acl" messages. I did not configure an explict deny for the access list to log these denies.how I can disable logging of denied connections?
ADSL ---> Cisco 877 with connected site-to-site VPN's ---> Cisco ASA 5505 with Remote VPN enabled
I want to connect my Android phone to the Cisco ASA 5505 with Remote VPN. When I forward port 500 and 4500 on the Cisco 877 to the Cisco ASA5505 I can connect with the phone.
But as expected, the site to site connections are lost because now they try to reach the ASA 5505 also.
I want to exclude the site to site external IP addresses from doing static NAT to the ASA 5505...how can I accomplish this ?
I have a Windows 2003 server running a L2TP VPN server on it. I'm putting theASA5505 in replacement of an open source firewall.
My question is that, I can't seem to forward the ports correctly for L2TP to the internal address of the 2k3 VPN server. It seems to me that the ASA is trying to negotiate the VPN connection rather than forward it internally.
Cisco ASA5505 WAN 216.136.1.2 LAN 10.1.1.1/24 Windows server - 10.1.1.14
I'm not able to access my Slingbox from the outside. I've set up port forwarding on port 5001 to allow outside connections in, but port forwarding isn't working. Am I missing something?
I just bought a Cisco ASA5505. I'm trying to opening a port range through CLI, but it doesn't seem to be working.
Background:I have an FTP Server running behind the firewall and need to allow port ranges 30000-30100 for data connections. I have been using FTP through the command prompt and its working. However, I cannot use it through the FileZilla client as it fails to query the directories. I have the ASA forwarding to port 1125 from 21 in passive mode.
Access-List: access-list Outside_Access_In line 3 extended permit tcp any any eq ftp-data (hitcnt=0) 0xfa8ed43d access-list Outside_Access_In line 4 extended permit tcp any any eq ftp (hitcnt=17)
I am at a loss on configuring a new ASA5505 for multiple static port translations.I would have expected to simply add several service command to a network object to complete the task, however, the service command overrides the previous and replaces rather than adds to the translations. [code] However, if entered in that order the 8443 overwrites the 8080 static translation.What is the correct procedure to establish multiple translations? If someone could also provide the "old" style for pre 8.2 release, I'd like to compare because I thought I used to do this with an access-list somewhere.
I have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. [Code] ......
I've had a Cisco ASA 5505 firewall connected to a cable modem (Virgin Media, UK) for the past 3 years. In the last 6 months or so I have noticed that the ASA would drop the outside (internet) connection intermittently, usually at least once every 1-2 weeks - the interface still shows as being up but no traffic crosses it, and computers on the inside network abruptly lose internet connectivity. Rebooting the ASA or administratively shutting down the interface and bringing it back up again would cure the problem straight away until the next time it happens.
In the last couple of days however despite nothing having been changed in the configuration the frequency of this connection drop has increased to the point where I would lose access to the internet within an hour of rebooting the ASA. It does not seem to matter whether or not there is traffic currently going out or not, inside computers just appear to suddenly lose internet connectivity.
I have tried the following without success:
1) I completely wiped the configuration (configure factory-default)
2) I changed the port the cable modem was connected to (eth0/0 -> eth0/7, changing switchport vlan accordingly)
I thought perhaps 2) had fixed it but it lasted a whole 2 hours before I woke up this morning to find that none of the internal equipment had internet access despite the fact eth0/7 was showing as up/up in ASA CLI.
This morning I manually set the eth0/7 port to "speed 10" (10Mbps, full duplex). It was previously set to be auto-negotiation (default) on both speed and duplex. As of this post it has managed to keep the outside connection up for 3 hours - but I'm not optimistic that it is fixed.
Interface counters have never shown any collisions, errors, etc - only packets input and output as expected.
Since the problem persisted across ports (eth0/0 -> eth0/7) I'm wondering whether or not the problem could either be faulty memory, or some kind of speed/duplex incompatibility between the cable modem and ASA.
How to configure this setup.I have an ASA5505 with dual wan failover, FiOS (eth0) & Cable (eth1). how to configure the port forwarding for all my devices so it doesn't matter what external interface the traffic is coming from. For example, I need web traffic on port 80 forwarded to 192.168.1.150 regardless of whether it is coming through eth0 or eth1.