Cisco WAN :: 5505 - Limiting Port 25 Forwarding To Specific IP Subnets
Jan 26, 2013
just getting started with ASA's. I've got my 5505 almost 100% configured but my port 25 forward to my Exchange server. Currently I've got an access list forwarding all traffic that hits the outside interface on port 25 to my Exchange server (access-list outside-in extended permit tcp any object mail-port-25 eq smtp). What I'd like to do now is say that only port 25 traffic from specific IP subnets gets forwarded. I thought I read that there's a couple of way to do this (from the inside interface, from the outside interface).
Also, what happens to port 25 hits that don't fall within the range I specify? Do they get a disconnect reply or do they just get ignored (no reply whatsoever)?
Edit: ...just to clarify, the allowed IP's I will be entering are the WAN IP's of my AS/AV service.
View 6 Replies
ADVERTISEMENT
Mar 31, 2013
I'm trying to find a router that can do port forwarding to other subnets. My current linksys has IP of 192.168.1.1, and only allows me to port forward to 192.168.1.x, but I need to forward to 2.x, 3.x, 4.x
I can see how to do this on the RV215W through the online emulator, but Cisco suggested I use the RV220W. Looking through the device emulator, I can't seem to figure out how I would set it up.
View 6 Replies
View Related
Dec 2, 2011
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
View 28 Replies
View Related
Apr 22, 2012
I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80
-access-list block_port extended permit ip any any
-access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
View 2 Replies
View Related
Sep 2, 2012
I have the following configuration in my ASA 5505 and I'm having problems connecting with other players on my XBox.
I think my problem is that I need to forward ports tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50 (vlan 3 below).
View 3 Replies
View Related
Oct 30, 2012
Trying to do port forwarding so that one particular host located on the WAN can get access to a LAN box on a specific port via the public IP.
Here's what I've setup on the ASA (IP addresses and port number have been changed to protect the innocent):
View 1 Replies
View Related
Jan 23, 2012
I would like to be able to do SSH port forwarding from outside to an IP address inside. Normally, this is very straighforward.
The problem now is that if I do so, then the LAN to LAN VPN stops working!.There is a LAN to LAN VPN working flawlesly (so far) between an ASA 5505 and a Cisco 861 Integrated Router. However, I would like also, to give SSH access to an IP address behind the Cisco router. The moment I do this the VPN breaks!
I attached the Cisco 861 router configuration, where the problem shows. The ASA has public IP X.X.X.105 and the router has X.X.X.105. These two are used for the VPN tunnel.
The internal network in the ASA is 10.115.16.0/24 and 192.168.10.0/24 in the router. These talk to each other using the tunnelt. But, the moment I try to forward port 22 in the router from X.X.X.107 to 192.168.10.30 the VPN breaks! I do that with the following line: ip nat inside source static tcp 192.168.10.30 22 X.X.X.107 22.Obviously, something is eluding me. The configuration is rather short and simple. But, I'm a newbie with Cisco rotuer configuration. Note that the tunnel stays up after I use the natting entry and I can talk from the router to the ASA, but not the other way around!The router is Cisco 861 with IOS version 15.0(1)M7.
View 1 Replies
View Related
Mar 16, 2011
We have an ASA 5505 and I need to set up port forwarding for an unusual port number which will be used for FTP on an IIS server.It's a bit complex as there are 3 VLANs: these are called ISP, Server and LAN-side VPN. We need to add a TCP port 8521 forward from the server's IP in Server WAN to ISP WAN VLAN with public IP address.
View 1 Replies
View Related
Jun 27, 2011
We are trying to install filter software at our main location and branches. The admin console has been installed at the main branch, but I need to allow access to ports 58000-58003 through our firewall in order to successfully install the software at our branches.
View 1 Replies
View Related
Feb 25, 2013
have a couple of ASA 5505's which work fine for what they are doing VPN and all that - we have 1 DLINK DFR-700 Firewall left and I need to get a new ASA to replace this since it is old.All this box really does is port forward external clients to 1 address on the internal lan for client software updates.So lets say we have client a with IP 1.1.1.1 and client b has 2.2.2.2 - at the moment this is what happens client a and b come in through http and get mapped to the internal http server 10.10.1.2So I need to setup about 100 clients which can come in through http only - get mapped to the internal IP and also keeping the internal server to be able to access anything outside.
View 16 Replies
View Related
Dec 6, 2012
I have ASA5505 and am having issue with port forwarding NAT . [code]
View 11 Replies
View Related
Sep 1, 2012
I have the following configuration in my ASA 5505 and I'm having problems connecting with other players on my XBox (moderate NAT).
I think my problem is that I need to forward ports tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50 (vlan 3 below).
[code]
# sh run
: Saved
:
[Code].....
View 3 Replies
View Related
Oct 1, 2012
I am trying to forward specific ports from the outside interface on my ASA5505 to my servers inside and can not get it to work! I have a VPN that currently works and the firewall rule in place I am just overlooking something simple I'm sure. Here is the config:
ASA Version 8.2(5)
!
hostname ASA
enable password <removed>
passwd <removed>
[Code]...
View 16 Replies
View Related
Feb 5, 2012
I'm trying to limit the bandwidth on certain ports to 3Mbps and others 1Mbps for a project, however when I do a bandwidth test from a website the speed on the router doesn't seem to change it's as if the changes over telnet aren't actually affecting the swtich's qos settings. I have verified that the policy is attached to the interface and the settings are correct as well.
Router
Telnet address: 10.xxx.xx.xx
Password:
[Code].....
View 1 Replies
View Related
Mar 15, 2012
We are trying to setup our ASA 5505 to do port forwarding to multiple internal servers and have run into some issues. A little background on what we are trying to do.
We have 1 static external IP. Internally we have one exsisting server (10.1.1.184) that has port 80 forwarded to it and another exsisting server (10.1.1.185) that has port 443 forwarded to it. Both of these servers are serving seperate web apps to our employees who of course use them offsite. We have now added an additional server (10.1.1.186) that needs to use both ports 80 and 443. Is there any way to set it up so that these ports can be forwarded to all the servers that need them? Also, how would this work as far knowing what traffic will need to go to which server even though it is using the same port?
The equipment is: ASA 5505ASA Version 7.2(4)ASDM Version 5.2(4) I appologize in advance if what I'm trying to do is difficult/impossible. I inherted the ASA 5505 at this location and I was not here when it was initially installed. In fact no one on staff was here when it was initially installed. I did manage to find the passwords to it though. I'm not at all familiar with the ASA 5505 or Cisco secuirty appliances in general.
View 19 Replies
View Related
Apr 23, 2012
I've configured port forwarding on an ASA 5505 to connect to an Access Point web administration.This Is for testing purposes only. I've followed the guidelines for port forwarding and I've created an access list but I can't connect to the AP.I know It's working because It connects fine when connected to my speedtouch router.I've attached a running-config.I'm getting hit counts on the ACL and I'm getting untranslate_hits on the nat but no translate hits.
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
[code]......
View 2 Replies
View Related
May 20, 2012
I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding.It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM.[code]
View 4 Replies
View Related
Dec 27, 2011
I have Cisco ASA 5505 Firewall with security plus license, Currently I open ports on 25,80,443 on public IP address 1.1.1.1 and perform static nat between the inside and outside IP address Such as i configured via CLI
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 80
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 443
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 25
[Code]......
View 1 Replies
View Related
Apr 19, 2013
I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack) This is how I setup my remote access:
Code:
ssh 0.0.0.0 0.0.0.0 outside
View 8 Replies
View Related
May 12, 2011
how to set up port forwarding for inbound SSH?
The outside interface on the ASA is on DHCP. I have a single dynamic public IP from my ISP. The inside interface provides Internet access for the network using NAT.
I have a server on the internal network with an IP of 192.168.0.6 and I would like to access this via SSH (TCP port 22) from outside.
I've been able to do this in the past on a PIX with a static public IP block, but I'm new to ASA and I don't know how to do it with PAT.
Current running config attached for what it's worth, but it's pretty basic at the moment.
View 3 Replies
View Related
Dec 16, 2012
Doing a port forward for remote desktop with asa 5505 9.1.1 and asdm 7.1.1 I could have done this with the previous versions of asdm but now it even more confusing?
View 21 Replies
View Related
Jun 26, 2012
I am trying to port forwarding Exchange 2010 OWA using ASA5505, wherever I used object NAT or Twice NAT it just doesn't work.... here is my config:
access-list outside-access remark "Exchange Server Access Rules"
access-list outside-access extended permit tcp any host <public x.x.x.11> eq smtp
access-list outside-access extended permit tcp any host <public x.x.x.11> eq https
[code]...
note that i use public ip <public x.x.x.9> on the outside interface for PAT, so all hosts in the same private can access internet
View 1 Replies
View Related
Jan 15, 2013
Here is my environment: DSL Modem - ASA 5505 - switch ,Inside network (192.168.2.0/24)
What I have successfully done:
- Modem online and passing on DHCP requests from the ASA to my ISP (ASA does get an internet address on the outside interface)
- ASA assigning DHCP to internal network
- All internal clients can access the internet.
What I am getting stuck on is getting NAT rules set up for simple port forwarding. What I would like: ANY internet address be able to access a server on the inside network address (192.168.2.x) over tcp/22 . I set up what I believe to be the correct NAT rule and Access Rule, but the packet tracer fails. Here is my config.
ASA Version 9.1(1)
hostname xxxxxx
domain-name ugh
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
[code]......
View 6 Replies
View Related
Feb 24, 2013
I have a Time Warner Cable business class service with no static IP, with a wireless modem which is plugged to a CAT5 distribution panel. On the jacks (2 other rooms on the house) I have a Linksys E3000 and a Linksys Valet router for signal boost and gadgets usage (TV, cameras, etc).The main router (TWC) has it's own external IP which TWC assigns to me and internally distributes via DHCP the range 192.168.0.x. With that said:
- The E3000 has a 192.168.0.6 IP -- this is fixed setup on the TWC router (ubee brand) by MAC address
- The Valet has a 192.168.0.7 IP -- this is fixed setup on the TWC router (ubee brand) by MAC address
- The main router has the 192.168.0.1 as the gateway and web-interface
Whenever I connect something to the E3000, it is distributing the 192.168.1.x range and the valet 192.168.2.x range.That works perfectly for my home based business until I decided to use more stuff on the network such as a IP printer, IP cameras, etc.
- The IP cameras are connected to the E3000 due to signal strength and I have manually assigned them the 192.168.1.15 and 192.168.1.16 IPs and ports 9001 and 9002.
- The printer is connected to the E3000 and I have manually assigned the IP 192.168.1.30.
Issue 1: Port forwarding On the main router (TWC - UBEE) I have tried to setup a port forwarding by informing the Local IP as 192.168.0.6 (E3000 IP), Internal Port 0, Public Interface IP (0.0.0.0), Ext Start Port 9001, Ext End Port 9001, Protocol - Both, Enabled Yes. On the E3000 I did the same config (screen shot attached e3000.png).This is not working properly. I can't get into the camera.
Issue 2: Printer/ The printer is only accessible if I connect to the E3000 (because it is on the 192.168.1.x network)
Issue 3: How to configure all the devices on the same subnet? If I want everyone to be on the 192.168.0.x network, how to configure properly the E3000 and the Valet? I have tried to force them into the same network but it would not work properly. It would not get an IP from the UBEE router (main).
View 5 Replies
View Related
Apr 7, 2013
I am trying to open up port 32400 on my 881w Cisco router but I have not had any success I need to configure manual port-forward to enable my Plex Media server.
View 1 Replies
View Related
Oct 25, 2011
I use a router RV082 with load balancing. My problem is when I try to access a specific site, I get the error message that my IP address changes and I can not use 2 ip address. I want to specify an ip range to always use the same WAN port.
View 2 Replies
View Related
Jul 1, 2012
Is it possible to enable an absolute value rate limit using QOS on a HP ProCurve 5406 switch for a particular IP range on a specific port? Is there a way to configure our HP 5406 with an absolute rate limit on "WAN" port for that server's IP range? I would like to limit it to only being capable of sending 1Mbps worth of traffic over the head end at once.Everything in the documentation points towards priority queues, which as far as I can tell, isn't really what I want.Baring accomplishing this goal using rate limiting is there a better way to prevent our services from accidentally saturating this connection?i thimkong about somthing like that:
class ipv4 rate-limit-port-A1
match ip 10.136.0.0/16 any
exit
policy qos port-a1-ratelimit
class servers-to-be-slowed action rate-limit kbps 1000
exit
interface A1 service-policy port-a1-ratelimit inI'm not sure about this.
View 4 Replies
View Related
Mar 25, 2011
I need to setup a L2L vpn between two ASA 5505 model. but due to poor planning and documentation both sites has same subnet (192.168.1.0/24) now i need to set up L2L wtih overlapping subnets. is it possible with asa 5505?
View 1 Replies
View Related
Dec 9, 2012
In one of our offices in Tokyo, we used to connect to the internet using a PPPoE connection from an ASA5505 and then ran multiple IP SEC tunnels to our remote sites. We have a /28 public range, but I couldn't work out how to utilize the other addresses, as the firewall was assigned a /32 on it's dialer.
To try to use more of the address space, we changed the topology and put a 1921 router at the internet perimeter terminating the PPPoE and then connected the inside of that to the outside of our ASA5505. We split the /28 into two /29 sub nets. the dialer interface of the router has a /32 from one of the /29s and the link between the inside of the router and the outside of the firewall used the other /29.
Since that change, we have had a number of performance problems to devices located behind the firewall (over VPN). If there's no traffic going over it, then response times to the public facing interfaces of the eqpt there are good. The more traffic we push over it the more packet loss we get. The response times are consistent, it's the packet loss that's the problem. There are no errors or drops on the PPPoE interface.The obvious answer to this is that we're pushing more traffic over it than we should, but it's a 100Mb circuit and I'm having severe packet loss if I try to push about 2 or 3 Mbps through it.
We're pretty certain that it's an ISP problem and can't say for sure that the problem started when we changed the topology out there, but anything to do with the way we've split the subnets out like that?
View 1 Replies
View Related
Oct 23, 2011
is it possible to shutdown a specific port on my 3750x and monitor this port at the same time .for example , im dealing with a mac authenticated network using port security , i want to shut down all the ports that are not used at the moment , however , if some one gets connected to the one of the shutdown ports i want to know the mac address of the user or atleast to know that i have someone who is just plugged in to the one of the shutdowned ports .
View 4 Replies
View Related
May 26, 2013
Site A:
ASA5520
VLAN data subnet 172.16.10.x/24
VLAN Voice subnet 10.0.0.x/24
Site B:
ASA5505 Base license
VLAN data subnet 192.168.10.x/24
VLAN Voice (restr) subnet 10.0.1.0/24
The callmanager is located on site A and needs to sent out DHCP-offers to site B through the VPN so the IP-phones can register to the callmanager. I got the VPN up and running for the data-subnet but i can't get traffic through the voice-subnet/VLAN.
Can the ASA's do the job or do I need to route traffic before the ASA's on both sides and sent it through the tunnel, configured both subnets as interesting traffic? Ofcourse the last situation I need to upgrade the license for the 5505 to gain more VLAN's.
View 4 Replies
View Related
Aug 4, 2012
I am trying to limit the incoming and outgoing traffic on a l2 port to 8mbps for a ip subnet within the nexus 7000. The port is connected to my ISP router which has a bandwidth of 20mbps.Policing won't work on a l2 Port and shaping cannot be applied on a port level. url...I have been reading thru the qos guide for nexus release v6 and have problems understanding the different queues.
View 3 Replies
View Related
Jul 10, 2012
Not really a big problem, but not knowing the answer is killing me. This is what I have:
Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2
The problem is when one of the hosts trys to reach the inside interface of the remote ASA. E.g. Host 1 trying to ping ASA5510 inside interface. Again Host 1 and 2 have the same subnet address of 10.1.1.0/24. I have configured the ASA 5505 to do the the NAT translations.
[code]...
View 3 Replies
View Related