I have an application behind an ASA 5505 that needs to access a mysql database over the Internet. How do IO configure the ASA to allow this remote mysql connection?
View 1 RepliesI Have this Topology: R1 is as server and i want to public that server in INTERNET using public IP 7.7.7.7, but i can not do that. I tried to do a NAT but it just translate from DMZ to Outside, however i can not to ping to 7.7.7.7 from Outside (R2).
I have a route in R2
7.7.7.7 [1/0] via 200.200.200.1
On R2 i can´t ping to 7.7.7.7
On R2 i can´t ping to 172.16.0.2
On R1 i can ping to 200.200.200.2
On Inside i can ping to 172.16.0.2
when i try to ping from DMZ to Outside (200.200.200.2) the debug, and show nat details, show me:
ciscoasa(config)# nat: translation - dmz:172.16.0.2/26 to outside:7.7.7.7/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
ciscoasa(config)#
ciscoasa(config)# sh nat detail
[code]...
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
View 10 Replies View RelatedI have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network? I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world. I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.
View 2 Replies View RelatedI have a rule which permits traffic to a web server and logging is enabled. But when I go to syslog I am only seeing traffic which has been denied. What needs to change to be able to see the logged traffic on permit rules?
View 1 Replies View RelatedI have problems in my Cisco network until I connected some Moxa devices.This Moxa are models EDS-316 and EDS-208
My principal trouble is the traffic UDP. Suddently the network don't permit the traffic UDP in VLAN where are connected Moxa devices.
During an hour the Moxa can send TCP traffic, but can't send UDP. If a Moxa device is unplugged from network, all devices connected to him can work offile from principal network, but if I plugg again the Moxa is like disable.
After one hour (more or less) the system restart all functions and work fine.I catch the logs from TXerrorsInPorts and all the ports where is connected a Moxa have errors all time.
I don't know which is the problem, but I think that problem is in negotiation from Moxa to Cisco.This is the configuration from a port where is connected a Moxa: [code]
I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool. From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN. I am available at any time if further information is needed. find attached my ASA config.
View 7 Replies View RelatedI have One switch 3750 and many switch 2960 c.I use one ASA 5510 to reach emote branche site (vpn conexion).I use one router 1841 for internet conexion.Router 1841, ASA and catalyst 2960 are connected on the 3750.Default gateway of all user is ASA IP
I configured Vlan 3750 and it work.Now I need to implement security : permit/block specific traffic between vlan [code] From vlan 72 I cannot have remote access on computer in vlan 34 and I cannot ping computer in vlan 34.
how to open tcp port 3306 for connections in
View 1 Replies View RelatedI have been a loyal customer of a hosting company for over 10 years. The main reason I have a dedicated server is to eliminate those shared-hosting issues.For the past 4 years the service has been getting crappier. In fact; this week alone the ftp stopped working, mysql stopped working, and email.It is now to the point I have to move all my domains, mssql databases, mysql databases, email servers and countless files.I have been contemplating to set up my own dedicated server (Mac) and hook it up to my ISP. Most of the websites I host are local - only one or two are national/international.
View 5 Replies View RelatedI have a home network with 3 machines. In switch mode "residential gateway" I can connect to MySql on local network, but not remotely (internet). In "cable modem" I can connect to local both network and Internet, with the MySQL server, but I can only use one machine on the network.
I have opened port 3306 in Windows Firewall and the moden-router and redirected to the IP of the machine that has MySql Server. I have dynamic IP, but my ISP gives you the same IP by sector, so I can do testing.
How to get my connection to work well on local network and the Internet, using the mode "residential gateway"?
I have done some searching, but I am unable to find a solution to this problem. I am wondering if there are any solutions that I was unable to find.
View 13 Replies View RelatedBasically, I have a LAMP server for a small landing page for myself.It was all working fine until I got my new router.Now, I can only access my sites on a LAN.All the ports (3306, 80, 22) are opened and multiple port checkers online says so.I followed some of the basic steps mentioned in this forum such as firewall settings such as:
"Port and Address Restriced"
disabled QoS
Enabled Multicast Stream
enabled DNS Relay
set DHCP range to avoid any IP conflicts
Ive even temporarily removed all firewalls completely to make sure that is not the problem.
We have a business need that we have to set up a IPsec L2L tunnel (from multiple locations) to a business partner, we require that the connection can only be initiated from our side, not business partner side. I searched the web, one option is configure our side ASA to initate IKE only, this does not seem to meet our requirement, because once IPsec SA is up, IP layer traffic will flow freely in either direction; the other option people suggested is to use VPN filter in tunnel group policy, but the documention of how to use this vpn-filter to enforce one way traffic policy is not crystal clear to me; I actually configured reflexive ACL on core L3 switch before the traffic hits ASA to reflect/evalulate specific traffic to businness partner's LAN network, that worked well. However one of our branch office's core L3 switch is Cat4K which does not support reflexive ACL with the image it is currently running, so I am stuck again .
View 1 Replies View RelatedFor some reason my ASA is preventing my traffic from going out. I've added some crumby access-list and applied it to NAT for it to work. I don't like this. I know it is not right, but I am not sure what part is wrong. I will highlight the stuff I have added to make it work. I don't see what I am missing. If I were to remove these lines my ASA could ping in both directions (in and out), but my LAN cannot do anything but ping the ASA. No other traffic is going out unless I have added these unsafe lines of code.
!
interface Vlan1
nameif inside
security-level 100
[Code].....
I have a firewall ASA 5520. In this time I have connected 3 networks (192.168.1.0 INSIDE, 192.168.2.0 INSIDE2, 10.0.1.0 OUTSIDE). I follow the article [URL] to configure my firewall, but the ASA no permit traffic (ip, udp, icmp, etc) between the networks.
The configuration that i have is:
ASA Version 8.2(1)
!
hostname Firewall
domain-name xxxxxx.com
[Code].....
I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work. Error message from the Syslog deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in".I try a couple of ways to fix it but no luck.A partial config of my ASA 5505. [code]
View 4 Replies View RelatedI've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users).
[Code] .....
I am tasked to connect my VoIP phones from remote site to my corp site. Basically all remote phones will be registering into a VoIP server in corp site. I have a site to site vpn tunnel established already from remote site to corp site. My hardware includes the following:
-Cisco ASA 5505
-Cisco small business POE switch SF300 24p
-Avaya 2015p VoIP phones
Successfully Register remote VoIP phones to corporate VoIP server 10.30.18.55.I have already configured vlan1 10.30.15.0/24(inside lan) and vlan2 public int(outside Internet) which my dmz only allows 2 per my basic asa licensing.When I connect my phones and register it states "subnet conflict" unable to register.
I have a client with an ASA 5505 who has several networks he's trying to get communicating over a VPN tunnel with a remote office. One of the networks is not working because it's also in use on the management interface of the other side of the tunnel and neither side seems willing to re-IP their internal space.
Their proposed solution is to NAT the conflicting network on the firewall on this side to a different subnet before passing it across the tunnel. How do I implement a NAT that only the VPN tunnel uses while keeping the rest of the traffic that comes across this device un-NATted?The network in question is 192.168.0.0/24. Their desired NAT target is 172.16.0.0/24. ASA config is attached.
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
ASA Version 8.4(1)
!
hostname xxxxxx
enable password xxxxxx encrypted
[Code].....
My first time attempting this so excuse my wrong use of terms..i believe its load balancing...new company site is going to have 2 separate connections:
con 1: 15 up/2 down coax connection
con 2: 6 up/ 6 down dish
con 1 needs to simply have http and https traffic.
con 2 will have security surveillance, SNMP, and VoIP (PBX)
the hardware i know that will be at that location when i fly up there is a Sonicwall TZ210 and a 48-port Netgear gigabit...where do i start?
In QoS, voice traffic is usually marked EF and placed in a priority queue. But interactive video traffic, like VTC, should also receive priority treatment. Can I put both classes in their own priority queues in the same policy map? I thought there could only be one LLQ, but I'm not sure about it. An example of the config I'm thinking of is below. Voice would be marked EF, VTC would be marked AF41.
View 6 Replies View RelatedI would like to properly configure my L3 to support iSCSi traffic. My L3 acts as an internal router between 4 different sub nets.
I have a iSCSi SAN on my network. A Windows server has Microsoft iSCSi initiators connecting to the SAN.
I have ASA 5505 that has two inside security level 100 interfaces and an outside interface.On the inside interface we have corporate domain subnet with DC and 30 hosts. On the inside2 interface I have few servers that runs specific application important for our business needs, and dumb terminals that are connected to them.I have a laptop user that periodically needs access from our corporate vlan1 to one of the servers on inside 2 vlan via remote desktop or some other remote viewer client,so he can view reports etc.I have enabled same-security-traffic intra-interface command and added nat exempt command pointing specific laptop host machine to that specific server.
Now my main concern is regarding security. This user carries his laptop home, browses the web, puts USB memory, and you can imagine how this machine is susceptible to all kind of malicious software. Inside2 vlan is very important and until now it has been a very secure environment.This is no longer the case since all traffic between this inside sec level 100 vlan host and corresponding inside2 sec level 100 server is now allowed because of the enabled same level interface traffic and nat exemption rule. Do I have another solution that would allow communication based on just a tcp port number for this host? Something like port forwarding from outside to inside Vlan interface?
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies View RelatedWe have 110mbps internet service. When we have the 5505 behind the cable modem, our speed drops to 55mbps or so. If we remove the 5505, we see the full 100mbps. I assume the 5505 can handle the speed; if so, what other things should I be looking at?As an aside, we used to have 50mbps wich worked fine, then the ISP upgraded to 60mbps and the through put dropped to 30mbps (It always seems to be half)
View 2 Replies View RelatedMy understanding is for insight to outside we need global and NAT, and for outside to inside we need static and ACL? Traffic goes to high to low, I'm just start working with 5505 recently.
View 2 Replies View RelatedSo I have an asa 5505 running ipsec and anyconnect and it has been working great for months. I have not made any changes to the config, but suddenly all of my anyconnect traffic is being dropped. The vpn uses the same subnet as the LAN. I tried putting a rule in to allow all traffic from the LAN subnet on the outside interface. Now I just get the WEBVPN-SVC Action-Drop in packet tracer.
View 1 Replies View RelatedTwo 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
I've configured an ASA5505 to be Lan to Lan VPN tunnel endpoint, peering with a linux box. The ASA is full licensed so that side isn't an issue.PROBLEM:When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets. It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.When the tunnel is initialised from the ASA, nothing happens.After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.
ACL for NO_NAT:
access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb
access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)
[code]....
I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN. The setup is a LAN to LAN connection with no natting in between.The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post. I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa. The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.
View 8 Replies View Related