We are moving away from our managed router and firewall from our old ISP to a new one. Previously we have used older Cisco products with a separate Firewall/VPN and Router. I would like to look at some of the combined appliances. Here is what we need:
1. a Router that won't choke on fairly heavy web browsing for 70 end users.
2. a Router that can handle 10 MB of fiber.
3. A Router with a combined firewall & simple vpn for 1-2 remote users.
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]
View 1 Replies View RelatedHow can I turn off the firewall of my router? I guess I need to type the default gateway address in my browser and find settings there for turning the firewall off.
View 2 Replies View RelatedI need to get past a Cisco firewall my roomate set up on our internet. I have zero access to the internet, and cannot access a website like Vtunnel to get around it.
View 2 Replies View RelatedI am researching routers for a large emnterprise application, and their useability as firewalls. Also, is their one that is considered to be better over another?
View 3 Replies View RelatedTwo Router Connected on One Switch and switch on Firewall?
View 2 Replies View RelatedAre stateful firewalls available in SOHO wifi routers? assume they have to be configured. Do they? are they any value without a config?
View 1 Replies View RelatedWe have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. Firewall and router configuration.
View 11 Replies View RelatedIn my company, we have two Internet connections, one for VPN and the other for emails and browsing. I have Cisco 1841 router with dual ADSL links, and also it's conntected to ASA and the other PIX. through one physical interface (vlan 1and vlan 2). The PIX firewall is connected to users, and the ASA is for VPN only.How can I seperate the traffic is going for emails and browsing and the vpn traffic. I have got to the point, that the router is configured for both ADSL connections, and I also configured the access-list and route-map in the router, the thing is when both ADSL configured together none of them works.
View 1 Replies View RelatedHow can I use a 1800 router as a firewall. I want also the router be able to make VPN.
View 1 Replies View RelatedI would like to use an ASA5505 as a simple LAN-to-LAN ethernet router. My plan is to configure two interfaces with the same security level and then use the command that allows interfaces with the same security level to communicate with each other. I can get this to work without having to setup and ACLs or NAT stuff.
View 5 Replies View RelatedI have simple setup lab in a GNS3. I having a problem pinging from the ASA to the outside world. If I'm in the rotuer, I can ping fine(ping 4.2.2.2), I'm getting reply back. But no luck on the ASA itself. For now I just wanted to get the ASA to ping outside the cloud. Then later I play around with the host pc. ASA Version 8.4(2) [code]
View 2 Replies View RelatedI had a working vpn configuration between a local and a remote router; the remote router is not under my administration.Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.
View 28 Replies View RelatedIf there is a Network product which does "Routering" and "Firewalling" functionality at the same time?If there is then what are the advantages and disadvantages against using a Router only device connected to a Hardware Firewall only device.
View 6 Replies View RelatedIs the ACLs matching logic between a Cisco router and a Cisco firewall (PIX/ASA) the same ? If not, What are the logic differences? I understand that in a router, once a match is found the statements below the match are ignored, I wonder if this applies to firewall.
View 1 Replies View RelatedI can't seem to receive emails although I can send them and my prinet is off line. Had an IT guy come out and got me to the internet but he didn't make sure I was receing emails or able to print.
View 1 Replies View RelatedConfiguring Cisco 1841 router and firewall.My provider has put their equipment and given me 2 subnets with public ip address. I am used to getting just one Subnet and connecting my firewall straight to the hand off. But in this case I am a bit confused. I assume I will need to put a router and configure it with before I connect my firewall. [code] I also have a firewall that I would like to be on the subnet 2 at 200.xxx.97.130 and have my private network 192.168.xxx.xxx behind it.
View 2 Replies View Relatedhow to disable firewall on w302r tenda router?
View 8 Replies View RelatedI am unable to access a certain website when I go through my router. I have by passed the router to see if that was the issue and I can access the website with just my modem hooked up.
View 2 Replies View Relatedneed to disable firewall settings router Tenda D840R
View 2 Replies View RelatedI am pretty new to the configuration of a DMZ and I have the task of setting one up.I have a Cisco 2811 Router running Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3), 2 FE interfaces.One FE is connected to the WAN, with a loop back interface configured with the public IP for Internet access in the office.The other FE has 2 sub interfaces configured, one for data and the other for voice traffic.Users within the office are configured to use the data VLAN to access the internet through the WAN.
Now we are setting up some new services and we require to have DMZs setup.I want to setup 3 zones now that the different servers would reside in. How can i achieve this using the existing infrastructure I have?I have an idea to create more subinterfaces and assign them to the zones, but I am still not sure how this would play out. I have been on this for the whole day and unable to make significant progress.
I have two router Cisco 887 with vpn site-to-site:
Site A:
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key ********* address 85.34.AAA.AAA
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
[code]....
I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.My problem is that I do not know what ip put on interface Outside of firewall. For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?
How to configure an Asa that will have a default gateway to an edge router that will be doing PBR? We would like Internet surfing to go out one ISP while internally hosted services in the Asa DMZ would go through the other ISP. configuration examples for both the edge router and the Asa?
View 3 Replies View RelatedI just purchased thie Cisco 2921 router and have all the configuration completed except the Firewall and NAT. We have 4 supnets at our location on the router each with a DHCP handed from the router to our network. Any examples for the Firewall and Nat configurations?
View 6 Replies View RelatedI enable the IPS on the 2911 router . I am using the Basic IPS signatures that are inbulid on the routers . But sill it showing , that no signature is active .
ip ips signature-category
category all
retired true
ip ips signature-category
category ios_ips basic
retired false
[code]....
I have a 7100 router that has some servers behind it. I need to translate each server to a public IP. The only thing is that between the outside world and the router is an ASA. We have a small data center where the ASA is connected to a core switch on the inside and the ISP on the outside. How would I do the NAT/PAT translations on the 7100 and then have them pass through the ASA? for example:
View 6 Replies View RelatedI have Cisco router 2800 IOS and Version is (c2800nm-spservicek9-mz.124-6T5.bin) (IOS Version 12.4(6)T5).I wnt to install firewall.
View 1 Replies View RelatedFor the moment we have a router Lynksys RV042 , and we want to change it with an Router Cisco 891 .I have configured our new router Cisco 891 using Cisco configuration Professional because I am not an cisco expert:
I have configured : DHCP, DNS, NAT, Firewall (I have selected : Advanced , Low Security) . I have tested the new router and :
- Internet is working
- We can send Emails, Receive Emails from Outlook
- Our Web sites cand be accessed from the outside .
- File Share is working
We have 2 problems
1. Can't Access from inside the network : our public ips configured in the NAT : **.***.**.150 .
When we try : ping **.***.**.150 , we receive : Request Timed Out .When we try ping 192.168.1.2 , everything it's ok.When we try ping from outside of the network , everything it's ok.
PS : I want to mention that : if I put back the old router I can access our public IPs.
2. When I send Emails to yahoo and access View Full Header I receive : dkim=temperror (key retrieval failed)
------------------------------------------------------------------
Received-SPF: pass (domain of ********.com
designates **.***.**.150 as permitted sender)
Authentication-Results: mta1036.mail.ac4.yahoo.com from=********.com; domainkeys=pass (ok); from=********.com; dkim=temperror (key retrieval failed)
Received: from 127.0.0.1 (EHLO mail.********.com ) (**.***.**.150)
[code]....
I think our Email Server (Smarter Email) is using the ip Adress: 127.0.0.1 (Please look in the attachement) and this ip is restricted from the firewall (ccp in zone to out zone : Drop : 127.0.0.0/0.255.255.255) (generated by Advanced firewall > Low Security) .How can I set that to work ? Can I delete that row ?
I have a Cisco SR-520 router which I am trying to configure and install the IOS content filter. I have read many of the documents on this but some of the lines do not work, from using the pages belowURL
you are supposed to enter parameter maps as follows:-
parameter-map type trend-global global-param-map
server trps.trendmicro.com
cache-size maximum-memory 256
cache-entry-lifetime 1
The router has 12.4 (20) T4, which is supposed to be supported, the only other way of configuring is using CCP which is not compatible with SR-520's you recieve hardware not supported message's.
I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
I have a 857 doing NAT for the internal vlan1 interface (192.168.20.0/24) attached traffic.ip nat source static tcp 192.168.20.5 3389 interface dialer0 3389 ip nat inside source list aclAllowNAT interface dialer0 overload I would like to turn CBAC (packet inspection) off, but still maintain an ACL on the ingress to Dialer0 (traffic in from the Web) to protect access to some sensitive material (doctor's surgery) and only allow RDP from designated sites. I realise there are other ways to publish the access to the terminal servers but this way has advantages we need, and is in place.
ip access-list extended aclAllowNAT
permit ip 192.168.16.20.0 0.0.0.255
ip access-list extended aclIngressFromInternet
permit tcp host xx.xx.xx.xx any eq 3389
...
But of course when i do this and apply the access list to dialer0 all NAT traffic stops as it doesn't have CBAC there telling to allow the inspected traffic.
What do i need to put in the aclIngressFromInternet ACL to allow the NAT traffic with CBAC off?
I am trying to troubleshoot an ASA5505 connectivity issue. My initial tests are to ping the Internet router from the ASA This is failing and also a sh arp only shows internal addresses.
I have to go to site to check this out to confirm the following.
1: Should I be able to ping the Internet router from the ASA?
2: Do I need to permit any icmp to do this?
3: Should a sh arp show the address of the internet router?
I tried entering the command permit icmp any outside
However I got the error route already exists 0.0.0.0/0.0.0.0
I have recently hit a brick wall with my router... Yesterday the router was acting funny rebooting about every 5 to 10 minutes. Didnt really think anything of it then it got annoying fast. So i checked my configs and nothing was out of normal checked my firmware and noticed it was out of date. So i grabbed the newest firmware 1.2.0.9 and uploaded it... uploaded fine and then rebooted as it should at that time the power flickered again because somone had plugged an large ac adapter over top of the power switch on the power bar and it was intermittently turning the power off when the table moved... the router then power cycled mid update and is now stuck at the blinking power light state and hasnt changed for 24 hours now...
View 1 Replies View Related