I'm trying to determine who's throttling our 'Outside' interface because it's being hogged.Is there an easy way to see what data is assigned to what object on our ASA5510
View 2 RepliesOn our ASA5510 in the area AAA Server Groups, there is an entry for LDAP and an object that refers to our 2003 Domain Controller. This DC has LDAP over SSL enabled and I can see the DN and Password for a domain user account.I've created two new DC's, both R2 2008 but when I enable these in the same way it says it could not authenticate, ERROR auth server not responding, AAA group removed.I thought this had something to do with CA being installed on a DC, but it's not running as a service on the DC that was already referred to.
View 2 Replies View RelatedDoes the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
Any data sheet or a brochure with the ASA5510 MTBF?
View 3 Replies View RelatedJust planning my move to 8.4(2) and I'm looking for some input. In the past, I have a text file with name commands for every host on my network that I know about. I would then deploy this list to all ASAs so that I could create ACLs on any firewall using a name, which would correlate to the same IP on any firewall.Now, the names from the name command no longer work as a host entry in ACLs, therefore I'm required to switch all of my active name command entries over to objects.My question is, have any of you found an easy way to change all name commands to objects? Since the name command doesn't specify the mask of the entry, I think this may not be possible without manually updating thousands of records. I know that once I migrate, there will be some objects auto-created, but those will only be host and or networks which have NATs associated with them.
View 7 Replies View RelatedIs it possible somehow to define externally administred DNS namese in ASA 8.4 in within object groups?i know that we can use name XXX, but some idea popped up using this kind of configuration.
View 3 Replies View RelatedEnvironment: Solaris 10(Sparc)
LMS 3.2
RME 4.3.1
CS 3.3.0
CM 5.2
I need to delete a device from CiscoWorks but I cannot find it in the Common Services->Device Management search. I can find it by IP address using the Network->Object Finder . It has an IP address, hostname, display name, and "managed by" information in the search results. Supposedly its managed by:
RME
IPM
DFM(listed twice)
However, when I click on the device link , it has almost no tools available (limited to ping) and no device information. I'm hard pressed on how to delete the item withouth having it in Common Services so that I can select it and then click on "delete" . how I can purge this device?
We have an ASA5505 that we need to enable hairpinning on.... In the old firmware versions, we used to be able to configure a public to private static mapping along with hairpinning by using
static (inside,outside) outside_ip inside_ip netmask 255.255.255.255
static (inside,inside) outside_ip inside_ip netmask 255.255.255.255
In 8.4, if I use object nat, the hairpin functionality works perfectly,
object network obj-insideip
nat (inside,inside) static publicip
however, since object nat only allows a single nat statement, I was attempting to use a twice nat to enable the hairpin functionality, but have been unsuccessful in coming up with the right combination of parameters for the functionality.
nat (inside,inside) source static private_object public_object destination static public_object private_object
allows hairpinning to successully work from the same machine. Meaning on any given host, I can ping itself using the private or public ip, but I can't get the right combination for hairpinning from any private host to another private host via the public ip. Other combinations have yielded icmp responses, however, they specify the private IP as the source of the reply instead of the public ip.
There is something wrong with the ordering of our NAT-rules.We are running ASA Version 8.4(2)8 and the nat config is pasted below.
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us. [code]
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies View RelatedI have just set up my asa5505 and while in the sh run I have the following lines
-dhcpd address 192.168.2.200-192.168.2.231 inside
-dhcpd enable inside
-dhcpd dns 68.94.156.1 interface outside
When a client connects to the device like: 192.168.2.215 there is no dns assigned. My devices are unable to access the internet unless I manually assign the dns in the local settings for that host.
On one of my computer i'm having multiple issues. when I am on most websites it pops up " TypeError: object unexpected" or just "object unexpected" and I have to refresh the page for them to go away, but if I hit the back button or go to another section of the web page they pop back up. The same computer is now having connection issues and only has "unidentified network no internet access" as the only option, and after everything I have tried it will not budge on the wifi.
View 1 Replies View RelatedAny way of doing named objects or object groups for ACLs on the ASRs? (1000 series in this case.) I'm setting up an ASR with a zone-based firewall and writing out all the addresses, ports and protocols for the ACLs associated with the various zones is creating huge, unwieldy ACLs in the config.
View 11 Replies View RelatedI'm going to replace a Cat6513 with a Nexus 7018. In my Cat6513, there are object tracking config as follows:
ip sla monitor 1
type echo protocol ipIcmpEcho 112.78.254.249
timeout 3000
frequency 6
ip sla monitor schedule 1 life forever start-time now
ip route 172.17.7.0 255.255.255.0 165.202.51.46 name VPN-1 track 123
Is there similar feature in Nexus platform? Because from Nx-OS command ref, I only found:
ip route ip-prefix/mask {[interface] next-hop} [preference] [tag id]
Seems can't associate a track object to a static route in Nx-OS?
i have 3560 switch located in warehouse environments . i need to monitor the temperate of this switch . i am looking for OID value that serves this purpose .
kindly provide me how to look for all OID that give me real time status for FAN .. CPU UTILIZATION ...TEMPERATURE ...OR ANY MAJOR EVENT THAT CAN DISRUPT MY PRODUCT IN .
I have an ASA5510 where I have defined object-groups and then associated them with a specific ACL. Our ISP is pulling their point of presence from where I live and I am force to move to a new ISP. I am in the process of setting up another interface for the ASA5510 to connect to the new ISP.
My questions is can I create a new ACL lets call it new_access_in and use it with the same object groups that I have already defined? I know that I can only have one ACL bound to an interface, and will bind this new ACL to the new interface I am setting up, but I wasn't sure if I could use the same object groups and connect them to a different ACL. I really don't want to have to create new object groups if I don't have to.
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
I have an ASA 5510 and have just started using object-groups which are super handy in theory, but not working in reality. I have a service object-group with a mix of tcp, icmp, and udp ports. Let's call it Sample_Port_Group. I'm trying to apply it to my dmz_access_in ACL. Here's the line giving me problems:
access-list dmz_access_in extended permit object-group Sample_Port_Group 192.168.1.1 any
The asa throws up an error between 192.168.1.1 and any. When I put up a ? after Sample_Port_Group, it gives me the option of putting in an IP address, any, etc. When I put in a ? after 192.168.1.1, it only gives me the option of putting in an IP address.URL
Those posts gave me the impression my line was possible, especially the "access-list outsideacl extended permit object-group myaclog interface inside any" line, which is at the end of the 2nd article linked.
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?
I�ve assigned the static IP to Server, but when i go back to network properties it show Obtain IP address automatically, however, network working fine with previously assigned IP.
View 2 Replies View RelatedI've read a lot of threads on this and tried a lot of the suggested solutions... nothing has fixed my problem yet.I'm running Windows XP SP2. I've recently been installing a VPN and setting up firewall rules. I didn't have any problems (was using Comodo firewall) until I installed Sygate Firewall. I've since un-installed but still can't get Windows to connect to the internet via wired or wireless connections[CODE]
View 3 Replies View Relatedconfigure my cisco 892 router want a static ip address assigned to the interface because and I have no more internet on the router because am working on my network academy for CCENT?
View 28 Replies View RelatedI'm new to working with the ASA 5505 ,VPN and reverse NAT.
The basic setup is as follows. I'm trying to setup a IPsec site to site tunnel with reverse nat on the remote side.
I have as the tunnel up and it passes traffic. I have setup reverse NAT for 172.x.x.1 to translated IP 216.x.2.101 my ASA also has an IP address of 216.x.2.102.
Any connection from 172.x.x.1 to 216.x.2.1 should appear to be comming from 216.x.2.101
When I ping or telnet from 216.116.86.1 to an open port on 216.x.2.101 I get the banner from 172.x.x.1, seems like it is working.
However in my setup I'm only given a singel IP that of the NAT address 216.x.2.101, so when I remove the IP address assigned to the inside interface 216.x.2.102. all conductivity is lost.
When I set the inside interface to 216.x.2.101 and I setup a static NAT rule for 172.x.x.1 to 216.x.2.101, I get a message that says all traffic will be redirected and I will be unable to connect to the ASA.
Once thats in place, and I make any connection from 216.x.2.1 to 216.x.2.101on any port I get a connection but then it's reset, I no longer get the telent banner I was expecting.
My running config is,
ASA Version 8.2(1)
!
hostname ciscoasa
[Code].....
I have a Cisco ASA 5510 with a 5 block of IP addresses assigned from our ISP. I am having issues with connectivity and routing traffic from the outside interface to the outside interface. I have my outside interface set up with IP address of 24.182.x.146, it allows internet access and also hosts a web server. Any time I have a client using this device for internet access, I am unable to have traffic accepted for my web server. I.E 100.100.x.52 is using this device, it browses to https://24.182.x.146 and it gets an unable to connect. I am able to connect to the web server from any other ISP/Device. [code]
View 4 Replies View RelatedI've been using this setting for clients in small offices and what not, and since all they wanted was to give another nutch of security to their network, we've been intalling cisco routers 2600 series still outhere for their internet connections and we had no issues what so ever, not until we run into cable isp provider, and their dhcp wont be able to assign our interface a dynamic IP, this is the setting aplied to the router interface;
interface fastethernet0/0
ip address dhcp
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
Why it wont be seen or assigned an ip by their dhcp, I talked to their isp and they assigned a static ip (private one) and we still have the same issue, if i connect a pix 506e interface with the ip add dhcp assigned to it gets a dynamic ip right away...
I have a problem with my AIR-AP1041N-E-K9, i do not seem to get an ip-address assigned after a reset to factory defaults.I do see the AP with CDP:
Device-ID: ap
Advertisement version: 2
Platform: cisco AIR-AP1041N-E-K9
Capabilities: TransBridge IGMP
Interface: gi5, Port ID (outgoing port): GigabitEthernet0
Holdtime: 163
Version: Cisco IOS Software, C1040 Software (C1140-K9W7-M), Version 12.4(25d)JA1, RELEASE SOFTWARE (fc1)
[code]...
I also noticed that when i connect to the AP via console-cable, i can see the AP boot up in the console session, but then i do not get a login prompt, but it seems like the AP is responding; if i shutdown the interconnecting link between the switch and the AP, i do see log messages appearing in the console-connection.I have tried to debug on the Switch, but i need a password, so i can debug, which i do not have.,
I have a Cisco 5520 using ASDM 6.4
Currently my VPN settings use a shared key without certficate to access the VPN. I would like to now set up a self assigned certifcte from the ASA to get users to import the certficate in order to VPN..
I have a Cisco 1811 router running the 15.1(3)T IOS. I am having some difficulty with the current zone based firewall and the SSL VPN.
When a user connects, they are put into Virtual-Template 1 which has a zone based assignment of "sslvpn". However the traffic report for the users is listed as being blocked by the zone based firewall in the outbound direction(office out to the wan zone).
webpage error details object required
View 1 Replies View RelatedAny one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.
View 1 Replies View RelatedI have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
View 2 Replies View Relatedi have an ASA 5520 8.4(1) with following config
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 216.52.185.33 255.255.255.240 standby 216.52.185.34
!
i need traffic (port 9350) from DMZ and WAN forwarded to object Production_23 port 3389, how do i achieve this ?
Received Error:Object "Dot11BandSelect" does not exist. when configuring the 802.11 settings on a 4400 WLC runing ver. 6.0.196.0
View 1 Replies View Related