ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails
Hi,
As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.
And rest users we have to block excluding Mails.
Please help.
Thanks,
Regards,
Hemant Yadav
login as: Rakh
[email protected]'s
password:
Type help or '?' for a list of available commands.
FAST-HQ-ASA> en
Password:
Invalid password
Password: ***********
FAST-HQ-ASA# show rum
^
ERROR: % Invalid input detected at '^' marker.
FAST-HQ-ASA# show run
: Saved
ASA Version 8.3(1)
hostname FAST-HQ-ASA
enable password 7tt1ICjiO2a2/Hn2 encrypted
passwd U8oee3lIrDCUmSK2 encrypted
names
interface Ethernet0/0
description ASA Outside segment
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 62.173.33.67 255.255.255.240
interface Ethernet0/1
description VLAN AGGREGATION point
no nameif
no security-level
no ip address
interface Ethernet0/1.2
description INSIDE segment (User)
vlan 2
nameif INSIDE
security-level 100
ip address 192.168.172.1 255.255.255.0
interface Ethernet0/1.3
description LAN
vlan 3
nameif LAN
security-level 100
ip address 192.168.173.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 192.168.172.0 255.255.255.0
object network LAN
subnet 192.168.173.0 255.255.255.0
object network MAIL-SERVER
host 192.168.172.32
object network DENY-IP-INTERNET
range 192.168.172.121 192.168.172.200
object-group service serBLOCK-INTERNET tcp
port-object eq www
object-group network BLOCK-IP-INTERNET
network-object object DENY-IP-INTERNET
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp
access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https
access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET
access-list BLOCK-WWW extended permit ip any any
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INSIDE
nat (INSIDE,OUTSIDE) dynamic interface
object network LAN
nat (LAN,OUTSIDE) dynamic interface
object network MAIL-SERVER
nat (INSIDE,OUTSIDE) static 62.173.33.70
access-group OUTSIDE-IN in interface OUTSIDE
access-group BLOCK-WWW out interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 192.168.172.37 255.255.255.255 INSIDE
ssh 192.168.173.10 255.255.255.255 LAN
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username Rakh password EV9pEo1UkhHJSbIW encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d
: end
FAST-HQ-ASA#
Similar Messages
-
Multiple gateways for different Traffic on ASA 5510 firewall
Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@Cyes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate! -
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik -
(ASA 5510) How do assign multiple public IP addresses to outside interface?
Hi,
I'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? Please bare in mind I'm doing the config via ASDM.
PS. everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
Any help much appreciated as I really need to get this sorted by Sunday night!
JanASA 5505 is slighly different to ASA 5510. ASA 5505 has switchport, while ASA 5510 has all routed ports, hence there is no need for VLAN assignment, unless you are creating a trunk port with sub interfaces.
In regards to static NAT, which version of ASA are you running?
For ASA version 8.2 and earlier (assuming that you name your inside interface: inside, and outside interface: outside):
static (inside,outside) 123.123.123.125 192.168.0.3 netmask 255.255.255.255
For ASA version 8.3 and above:
object network obj-192.168.0.3
host 192.168.0.3
nat (inside,outside) static 123.123.123.125
Also, with your inbound ACL, the behaviour also changes from ASA 8.2 and earlier compared to ASA 8.3 and above.
For ASA 8.3 and above, you would need to configure ACL with the destination of the real IP (192.168.0.3), not the NATed IP (123.123.123.125).
For ASA 8.2 and below, it is normally ACL with destination of NATed IP (123.123.123.125) for inbound ACL on the outside interface.
Hope that helps. -
Hi All
After some advise and direction
Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
called http://partners.highnet.com/login/ ip address 62.233.82.181.
Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
to any website and brings back the details
However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
on checking the ASA under Home TAB - Firewall Dashboard - and then under - Top 10 protected Servers under SYN attack we are receiving the below error.
Rank Server IP-Port Interface Average Current Total Source IP (Last Attack Time)
5
62.233.82.181:80
INSIDE
0
0
8
192.168.254.130 (1 mins ago)
I have tried rebooting the ASA firewall (Still did not resolve).
I have also disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection (Still did not resolve).
Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
If you can help or advise it is much appreciated.Hi,
Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
You could maybe also try to generate TCP SYNs directly from the ASA
ping tcp 62.233.82.181 80
And see if the server replies
- Jouni -
Unable to access public ip from branch vpn (Cisco ASA 5510 Firewall)
Hi,
As per the above diagram
in Head office - able to access public ips
In Branch office - unable to access public ips only accessing head office servers and internet is shared from head office.
please see the below configuration in Branch office router:
access-list 1 permit any
access-list 100 remark ****** Link to Firewall-HO1 ******
access-list 100 permit ip 10.21.211.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip 10.21.111.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip any any
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 permit ip host 10.21.211.51 any
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq smtp
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq smtp
access-list 102 permit ip 10.21.211.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
Thanks for your valuable time and cosiderationsany1 can help me ?
-
ASA 5510 Guest Internet Access
I have a subnet for guest network access, both wired and wireless. We have a Netgear ProSafe that is trunked to a Cisco 2901 performing 'Router-on-a-Stick'. For most internal traffic, it all stays behind the ASA. But for guest traffic, I have a route-map that sets the next-hop address as the outside interface of the ASA. The question is, how can I still permit those users to access our internal DNS servers? Do I need any particular NAT translations, exemptions, DNS doctoring, hairpinning, etc.? I have an ACL on the inside interface that permits traffic from the guest networks to our internal DNS servers, and then the next ACL line denies any other traffic from the guest networks to any of our internal networks.
Regards,
ScottHello Scott,
Your ASA will need to have a route for both networks
You also will need the following command:
-same-security-traffic permit intra-interface
The thing is that the packets from the guest vlan will go directly to the ASA as its default gateway, then packets will be routed to the Router on stick and finally to the DNS server, the reply will go from the DNS to the Router on stick and then directly to the Guest user.
Nat exemption will look like this:
access-list nonat permit ip 192.168.14.0 255.255.255.0 host 192.168.11.6
access-list nonat permit ip 192.168.14.0 255.255.255.0 host 192.168.11.4
nat (inside) 0 access-list nonat
Please give it a try, also please provide packet tracer
packet-tracer input inside udp 192.168.14.10 1025 192.168.11.4 53
Regards,
Julio
Rate helpful posts -
Customers, Sales Orders Restrictions based on Sales Office and Sales Groups
hi all,
We have a typical scenario for one of our customers. They are SAP ERP, ECC 6.0.
They have sales employees/managers assigned to customers. In order to maintain the link between the sales employees and the customers, their earlier implementation partner followed the following method for the linkage.
Each sales employee and each sales managers are given a SAP User ID like 101, 012, 103 etc.. Sales groups OR Sales offices are also maintained with the same numbers/IDs. At the customer master level, each customer's sales group is given the sales employee ID (which is same as that of the sales group). The example is as follows.
Customer No. Sales Group Sales Office
CU1 101 108
CU2 101 108
CU3 102 108
CU4 103 109
CU5 104 110
The sales group names and the sales offices names are given the same names as that of the user IDs of the sales employees/sales managers. In the above example, the sales employee 101 (sales group 101) is assigned to customers CU1, CU2. The sales manager 108 (Sales office 108) is managing the sales employees 101 and 102.
Now the customer has some authorization issues. He wants us to provide authorizatinos in such a way that -
if the sales employee 101 logs on to the system he should be able to Display the CUSTOMERS and the Sales Orders (XD03, VD03, VA03) that are assinged only to him (In other words with the sales group 101) and similarly for other sales employees.
if the sales manager 108 logs on to the system he should be able to display the customers and the sales orders that are assigned to his sales employees (101, 102). In other words with the sales office as the manager's ID 108.
I tried to use the authorization object V_VBKA_VKO but this doesnt see to be serving the purpose as this object is not being checked at all in any of the above VA03, XD03 and VD03 transactions.
Similarly I did not find any other authorization object which makes use of Sales group field and Sales office field which also has a linkage to VA03, XD03 and VD03 transactions.
The customer is evaluating our contract with them based on this solution.
Any help is greatly and highly appreciate.
Thanks,
Niran.Hi,
Please use the following authorization objects for your purpose. For more details please go through the documentation of the objects:
V_KNA1_BRG Customer: Account Authorization for Sales Areas
V_KNA1_VKO Customer: Authorization for Sales Organizations
FYI: V_VBKA_VKO SD Sales Activities: Authoriz.for org.data and sales activ.type
contains the following Fields which are relavant to your query
VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
VKBUR Sales Office
VKGRP Sales Group
KTAAR Sales Activity Type for Sales Support
ACTVT Activity
Regards,
Dipanjan -
Oracle HR restrictions based on multiple assignments and multiple GRE's.
In oracle HR, with multiple assignments and multiple GRE. How can we restrict to having 1 assignment per GRE. I do not want more than 1 assignments per GRE. Has anyone done this before?
Hi,
If the requirement is to prevent the creation of multiple assignments, you can achieve that by personalizing the assignment form.
Thanks
Satheesh -
How to granularly enable Multi-Factor Auth based on the system and not the user?
Hi,
we are using Azure AD to federate some cloud services. We want to deploy Azure MFA to some of them, but not all. In particular, we don't want MFA for o365.
How can I force MFA depending of the service ?
Regards,
JohnHi,
I think you may ask in:
https://social.msdn.microsoft.com/Forums/en-US/home?forum=windowsazureactiveauthentication&filter=alltypes&sort=lastpostdesc
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
I recently set up my new iMac to a fiber optic service and it was working great until about 2 weeks ago. Numerous times a window comes up and says can not connect to server, I can not sign into Facetime, and cannot close out my email. Hmmmmm
Contact the ISP.
-
DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router
Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj. -
Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510
I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW -
Reset ASA 5510 back to MFG Settings - Please help??
A network engineer was in the middle of setting up a customer ASA 5510 Firewall and left. We don't know the IP/UN/PW.
Is there a way to hard reset the firewall back to manufacture settings?
Thanks in advance.Hi,
The easiest thing would be to do a password recovery, as described here:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
Then you can simply reset the password and carry on where he left off.
HTH
Andrew. -
Hello all!
I was wondering if anyone new the difference out there between an ASA5510-k8 and k9. Is this a software or hardware version. If I was using 2 ASA's in failover/standby environment those the 2 need to match or can these be different. Any feedback would be helpful Thanks.Hi Edwin,
Please see below the information ref to 5510 licensing (gives you the differences between K8 &K9) and Active/standby failover implementation requirements for ASA...
Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, 3DES/AES license
ASA5510-BUN-K9
Cisco ASA 5510 Firewall Edition includes 5 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, DES license
ASA5510-K8
Cisco ASA 5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 Premium VPN peers, Active/Standby high availability, 3DES/AES license
ASA5510-SEC-BUN-K9
Licensing Requirements for Active/Standby Failover
The following table shows the licensing requirements for this feature:
Model
License Requirement
ASA 5505
Security Plus License. (Stateful failover is not supported).
ASA 5510
Security Plus License.
All other models
Base License.
Prerequisites for Active/Standby Failover
Active/Standby failover has the following prerequisites:
•Both units must be identical security appliances that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.
•Both units must have the same software configuration and the proper license.
•Both units must be in the same mode (single or multiple, transparent or routed).
Below are the links for reference..
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html
hth
MS
Maybe you are looking for
-
Teachers sharing one dot mac with iWeb need help- sites are being lost
Sorry to be lengthy- Here's the question and issue first and then the background. Question/Issue: Anyone know a way we can have multiple people (eventually 20 or so) with their own computers creating sites in iWeb and publishing them to a common dot
-
Does write to measuremen​t file need a blank file?
Do we need to supply a blank file to write to measurement file? I am supplying a file with some text headers in it to my Write to measurement file, and for some reason it generates Error 100, saying that it is "not a path". I am not sure, if I need t
-
Teradata Source SQL Server where clause In SSIS
Hi All,, I want pull the data from Teradata to SQLServer .But Teradata source query in where clause around 200 productcodes manually. Instead of that one I want pass sqlserver table dynamically . creating one temp table in ssis for sqlserver data an
-
My itunes on windows 8 quits "itunes has stopped working" every time. any clues?
Can you help with an answer to itunes quitting each time I launch it? I've tried uninstalling and re-installing several times.
-
How do I resize an array of strings in a CIN ?
I've been using a call to NumericArrayResize() to allocate enough memory for numeric arrays, but I now have an array of strings that I need to build in a DLL/CIN and pass back to Labview. Can someone point me to a snippet that will demonstrate how to