ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

Hi,
I experiencing an issue in setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
permit ip any "Nat_subnet"
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration. I would appreciate if someone please advice to resolve this issue.
Regards,
Muds
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.135.249 255.255.255.248 standby 192.168.135.250
object-group network d1-dr-nat_nets
network-object 192.168.128.0 255.255.248.0
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net !
object network 10.210.14.0_Net
nat (outside,inside) static 192.168.128.0_Net
object network 10.210.16.0_Net
nat (outside,inside) static 192.168.129.0_Net
object network 10.210.80.0_Net
nat (outside,inside) static 192.168.130.0_Net
object network 10.210.84.0_Net
nat (outside,inside) static 192.168.131.0_Net
object network 10.210.86.0_Net
nat (outside,inside) static 192.168.132.0_Net
object network 10.210.88.0_Net
nat (outside,inside) static 192.168.133.0_Net
access-list prod_lan-in extended permit ip any object-group d1-dr-nat_nets
access-group prod_lan-in in interface inside

Hi,
As I mentioned even though you NAT the address from outside to inside you will have to use the REAL IP ADDRESSES in the access-list statements
Your hosts on inside will still be connecting to the NAT IP address of the hosts on outside BUT the ASA needs the ACL statements with the NATed hosts original IP addresses
Let me give an simple example
object network STATIC
host 10.10.10.10
nat (outside,inside) static 192.168.10.10
access-list INSIDE-IN permit ip any host 10.10.10.10
or
access-list INSIDE-IN permit ip any object STATIC
- Jouni

Similar Messages

  • ASA 5510 ignoring configured acl entry?

    Greetings,
      I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
    interface Ethernet0/0.200
    vlan 200
    nameif SITECORP
    security-level 90
    ip address 10.1.4.1 255.255.254.0
    interface Ethernet0/0.207
    vlan 207    
    nameif SITESERVER
    security-level 90
    ip address 10.1.7.1 255.255.255.128
    interface Ethernet0/1.311
    vlan 311
    nameif MOD1BMS
    security-level 100
    ip address 10.1.144.1 255.255.252.0
    I have the following access-lists configured and applied:
    access-list SITECORP_access_in extended permit ip any any
    access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
    access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
    fw# show run object-group
    object-group network SITECORP
    network-object 10.1.4.0 255.255.254.0
    object-group network MOD1BMS
    network-object 10.1.144.0 255.255.252.0
    object-group network SITESERVER
    network-object 10.1.7.0 255.255.255.128
    fw# show run nat-control
    no nat-control
    packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group SITECORP_access_in in interface SITECORP
    access-list SITECORP_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd5641ec8, priority=12, domain=permit, deny=false
            hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
            src ip=0.0.0.0, mask=0.0.0.0, port=0
            dst ip=0.0.0.0, mask=0.0.0.0, port=0
    fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
    <snip>
    Phase: 3
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xd544e8c8, priority=110, domain=permit, deny=true
    hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0
    This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
    Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
    Regards,
      Phil

    Hello Phil,
    That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
    But you do not have to change the Security level, of course that is one work-around but again the solution is :
    -     same-security-traffic permit inter-interface
    Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
    Regards,
    Julio

  • WLC ACL For Internet Access Only

    I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
    I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
    Steve

  • Minimum set of ACLs / security access required for getting MBeanHome and Runtime MBeans

    Hi,
    Where can I get information regarding the "minimum set" of ACLs and security access/permission
    required for
    a) Accessing weblogic.management.MBeanHome [Local and Admin interfaces] and RemoteMBeanServer
    interfaces
    b) Use MBeanHome and RemoteMBeanServer interface to look up MBeans [especially
    Runtime MBeans] for Cluster, Server instances, EJBs, JDBC, Execute Queues, etc?
    Any help or hint is appreciated!
    Regards,
    DKV

    "DKV" <[email protected]> wrote in message
    news:3f4e8429$[email protected]..
    >
    Hi,
    Where can I get information regarding the "minimum set" of ACLs andsecurity access/permission
    required for
    I believe this was answered in the management jmx newsgroup.

  • ASA 5510 in Transparent Mode-Guidelines.

    Dear all,
    I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
    let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
    1. static routes.
    2. object-groups.
    3. ACLS.
    4. URL-filter (Websense).
    5. IPS . ( i doubt this )
    6. have 3 data and 1 Mgmt interfaces.
    7. syslog.
    8. SNMP
    I'm sure point 5 and 6 will have issues, need to confirm.
    need to confirm this by EOD,
    ( 5 hours more).
    thanks in advance.
    Shukla.

    Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
    in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
    ACLs can be configured normally
    syslog as well
    obgect groups as well
    Address translation is inherent when a firewall is configured for routed mode. Beginning with
    ASA 8.0, address translation can be used in transparent mode as well
    Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
    Does not support QoS.
    Inspects Layer 2 and higher packet headers
    as long as u can use
    policy-map global_policy
    then u can integrate with IPS if u mean AIP-ssm modul
    transparent also known as a Layer 2 firewall or a stealth firewall, because its
    interfaces have no IP addresses and cannot be detected or manipulated. Only a single
    management address can be configured on the firewall
    In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
    your firewall supports more than two interfaces from a physical and licensing standpoint, you
    can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
    configured, the firewall does not permit a third interface to be configured.
    Some platforms also support a dedicated management interface, which can be used for all
    firewall management traffic. However, the management interface cannot be involved in
    accepting or inspecting user traffic
    Configure a management address:
    Firewall(config)# ip address ip_address subnet_mask
    The firewall can support only a single IP address for management purposes. The address is
    not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
    accessible from either of the bridged interfaces.
    The management address is used for all types of firewall management traffic, such as Telnet,
    SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
    A transparent firewall can also support multiple security contexts. In that case, interface IP
    addresses must be configured from the respective context. The system execution space uses
    the admin context interfaces and IP addresses for its management traffic
    You do not have to configure a static route for the subnet directly connected to the firewall
    interfaces. However, you should define one static route as a default route toward the outside
    public network
    i wish i covered all ur questions
    good luck
    if helpful Rate

  • Cisco ASA 5510 site to site VPN only

    Hi,
    Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

    Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
    So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
    As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

  • ASA 5510 tunnel dropping

    We have two ASA 5510 firewalls with a tunnel between two sites. The tunnel works without issue until one of the sites experiences a brief outage due to the service provider. The VPN tunnel is not automatically establishing after the outage. It takes a restart of one of the ASA's before it will come back online. How do I get the devices to automatically try to restore the tunnel?
    Chris

    Chris-
    If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.
    *Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222
    securityappliance(config)#tunnel-group 10.165.205.222 ipsec-attributes
    securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
    Hope that helps.

  • Reset ASA 5510 back to MFG Settings - Please help??

    A network engineer was in the middle of setting up a customer ASA 5510 Firewall and left. We don't know the IP/UN/PW.
    Is there a way to hard reset the firewall back to manufacture settings?
    Thanks in advance.

    Hi,
    The easiest thing would be to do a password recovery, as described here:
    http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
    Then you can simply reset the password and carry on where he left off.
    HTH
    Andrew.

  • RAS and ASA 5510

    I have a ASA 5510 and need to restrict internet access to a defined group in the AD. I was told that you can use RAS server to acomplish this. Has anybody done this before? Any pointers?

    Hi
    this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
    If you remove this line:
       authorization-server-group RADIUS01
    you'll see it starts to work fine
    In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
    This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
    Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
    hth
    Herbert

  • How to set-up Guest Client Wireless Access "PIN" with Restricted Access ???

    This is my first time, and, I am not familiar with the rules.
    Is it possible for someone to answer a slightly different question...
    I just bought a TC and hooked it up to my cable modem. I have 3 computers that I want to configure, with the following requirements: WPA/WPA2 security all around, only the 3 computers I have to be allowed use of the TC, and, no listing of the network should appear on remote computers (i.e., a "closed network"). With these basic needs, the three computers I want to be in this network are listed below --- subject to the following ACCESS limitations:
    1. A G4 iMAC (10.5.5), wired to the TC via an Ethernet cable: FULL ACCESS; i.e., shared file access, TM back-ups, HP printer access, internet access;
    2. A MacBook (10.5.5), airport wireless access to the TC: FULL ACCESS, as the iMAC.
    3. A (new generation) PC laptop: VERY LIMITED access --- access only to the internet, so that the TC looks only like a "wireless router." Internet access available at any time of the day or week. It would be good if this client did not have to use any of my passwords, just a "PIN." Also, I do NOT want this PC client to see my printer, and, also, to NOT see my TC base station and NOT have access to my TC/TM disks. To set this up, I entered the PC laptop name and the "MAC" address using the Airport Utility. Then, I selected the "PIN" choice for access, so that this client need not have to ever use or know of any of my passwords. After I selected the "PIN" option, the utility asked me to enter the PC client's PIN. How do I obtain the PC's PIN? This is very confusing to me, so, I apologize to you all (I'm very new at this).
    Hopefully, this TC-only network concern is within the guidelines to be answered.
    Thanks,
    David.

    Dear Smokerz,
    Well, this is where I'm confused. I did use the Airport Utility. I went to the place where it asks for the PIN number. So, I made up an 8-digit number and entered it. I assumed that after I entered the number, it would prompt me to do something with the PC. But, the "Continue" button did not become highlighted. Hence, my confusion. Can you please be more specific as to exactly what I should do using the Airport Utility? The detailed instructions are vague to me, unfortunately.
    Also, with respect to the PC Laptop: I only want it to have access to the internet via the TC (so that the TC acts as a wireless router). And, I want to set up restrictions for limited use of the PC: NO ACCESS to the HP printer, and NO ACCESS to the TM/TC (other than as a wireless router). As before, can you please be more specific as to exactly what I should do using the Airport Utility?
    I must be missing a trivial menu item, so, again, I apologize.
    Thank you,
    David.

  • Can Teredo for Microsoft DirectAccess work in the DMZ of an ASA 5510?

    I'd like to find some way to get Teredo to work with our DirectAccess implementation.  To do that, the external facing NIC on the DirectAccess server needs to be configured with a routable public IP address.
    We have an ASA 5510 (running 8.3 (2)) that has switches on the Internal and DMZ interfaces, but connects directly to our Internet router through the External interface.
    So, I do not have a switch that will allow me to connect our DA server directly to the edge.  Short of buying a new switch and putting it outside of the firewall, I wanted to see if there was a way to configure the ASA so that Teredo would work in the DMZ.
    Our current DMZ has 2 barracuda devices (spam and web filters) using static NAT objects.  The IPs are all 192.168.x.
    Is there some way of getting the DirectAccess external interface to work in the DMZ with a public IP address (and our ISP's gateway) without mucking everything else up?  I've read about transparency mode, but I cannot figure out if that would affect our other devices.
    Thanks in advance!
    -Brad

    Hi. I'm not 100% sure.......... But I think With UAG service pack 1 or 2 you no longer require a publicly routatable address for the external interface of the UAG server. You can now add the UAG server to your existing DMZ without affecting the addressing. Then  you allow the Teredo tunneling traffic to the server.
    HTH

  • Set up TM w/Limited Access to one laptop & Full Access to another?

    Dear Apple,
    I just received my Apple 1 TB Time Capsule. Can someone please help me with a network configuration I want to set up?
    I have a cable modem, and, three computers: a G4 iMAC (system 10.5.5), an Apple MacBook (system 10.5.5), and, a PC laptop.
    The Time Capsule is connect directly to the cable modem.
    Regarding the computers:
    (1) I want the G4 iMAC to connect directly, via an Ethernet cable, to the Time Capsule, WITH FULL ALLOWED ACCESS to the Time Capsule and to the back-up function of the Time Machine feature, and, with allowed access to my HP inkjet printer (class 6110);
    (2) I also want the MacBook laptop to wirelessly link to the Time Capsule via the Airport utility on the laptop, and, WITH FULL ALLOWED ACCESS to the Time Capsule and to the back-up function of the Time Machine feature (using WPA/WPA2 security, and, without the network name visible to third parties), and, WITH allowed access to my HP inkjet printer (class 6110);
    (3) I want the PC laptop to wirelessly link to the Time Capsule (using WEP security), but WITHOUT ACCESS to the Time Machine, WITHOUT access to the back-ups on the iMAC, WITHOUT access to the back-ups on the MacBook, and, WITHOUT access to the inkjet printer --- I only want the PC to use the Time Capsule as a WIRELESS ROUTER so that the PC laptop can access the internet.
    (4) And, finally, I want to specify (Time-Capsule/Time-Machine/server ) access ONLY to the iMAC and the MacBook, so that others cannot gain any access.
    I specifically need help to set up and configure the Time Capsule so that the PC laptop, as stated above, should have limited access to the Time Capsule --- namely, only to access the internet, and, not even be aware of stored data on the Time Capsule, not even be aware of the inkjet printer, and, not even see my WPA network name when the PC scans for wireless devices.
    I also want the iMAC and the MacBook to have access to each other’s data stored on the Time Capsule (like a common server).
    I have an old D-Link DI-624 wireless router that I used before buying the Time Capsule, which is available, if needed. Hopefully, I can configure the Time Capsule so that I would not need the old D-Link.
    Thank you in advance,
    David.

    Not a problem. I just wanted to point out that you won't get any "official" answers from Apple on this board. It is all user to user and we only know what we know and some of the time it is conjecture on how to fix a problem if we've never seen it before. I try to point out when I'm guessing, but I don't always remember to rephrase my statements.
    I'm not sure how to set up the Time Machine, but look for an option to only serve out files via AFP (Apple Filing Protocol) only. Turn off SMB sharing, if possible. The PC won't be able to understand AFP--it communicates via SMB (Server Message Block). I would think you should be able to set up
    If the PC can use WPA or WPA2, use that instead of WEP. There is no way to set up special passwords for individual users on a wireless network. It is all or nothing. Now, the wireless password could be different than the password needed to access the files, I think. So, you could set up a simple WPA password for wireless, but set up user accounts with strong passwords for the file server. Again, I don't have Time Capsule, so I don't know how to set it up. Hopefully, I've put enough keywords in for you to look through the configuration options and get it set up.
    As long as this thread stays open and unanswered, more people might look in and have a more specific answer for you.

  • ASA 5510 - Memory : 1 Slot or 4 Slots?

    Is there a way of ascertaining whether my 5510's have 1 memory slot or 4 memory slots without having to open the chassis?
    I need to order the appropriate memory  upgradfe kits.
    Thanks.                            

    Manufacturing may be able to tell us if the unit was shipped with 1 or 4 slots with the serial number.
    CSCtd80603    DOC: Only One Memory Slot Should be Used on ASA 5510
    http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1075832
    For memory upgrade in the Cisco ASA 5510 with
    four memory sockets, use slot 1 - P13 and note that only one slot must
    be populated at all times. For optimum performance in the
    Cisco ASA 5520 and the Cisco ASA 5540 , install the DIMMs in slots P13
    and P15, if you are populating only two slots.
    [Wrap text]  [Edit this enclosure]
    R-comments: Added 03/12/2010 16:37:30 by sheema
    [Unwrap text]  [Edit this enclosure]
    R-comments: Added 03/12/2010 16:37:30 by sheema
    [Unwrap text]  [Edit this enclosure]
    N-comments: Added 02/26/2010 09:19:09 by aossipov
    [Wrap text]  [Edit this enclosure]
    N-comments: Added 02/26/2010 09:19:09 by aossipov
    [Unwrap text]  [Edit this enclosure]
    N-comments: Added 02/26/2010 09:19:09 by aossipov
    [Unwrap text]  [Edit this enclosure]
    Release-note: Modified 02/26/2010 09:18:35 by aossipovSymptom:
    Cisco ASA 5500 Series Adaptive Security Appliance Hardware Installation Guide mistakenly instructs to use slots 1 and 3 or slots 2 and 4 for memory upgrades on some ASA 5510 boxes with 4 memory sockets. On the contrary, the Dual In-line Memory Module (DIMM) should only be inserted in slot 1 on all ASA 5510 devices; slots 2-4 should not be used. This defect is filed to correct the documentation.
    [Wrap text]  [Edit this enclosure]
    Release-note: Modified 02/26/2010 09:18:35 by aossipov
    [Unwrap text]  [Edit this enclosure]
    Release-note: Modified 02/26/2010 09:18:35 by aossipov
    [Unwrap text]  [Edit this enclosure]
    Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
    [Wrap text]  [Edit this enclosure]
    Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
    [Wrap text]  [Edit this enclosure]
    MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    Eng-notes: Added 12/14/2009 09:42:14 by aossipov
    [Wrap text]  [Edit this enclosure]
    Eng-notes: Added 12/14/2009 09:42:14 by aossipov
    [Unwrap text]  [Edit this enclosure]
    Eng-notes: Added 12/14/2009 09:42:14 by aossipov
    [Unwrap text]  [Edit this enclosure]
    I-comments: Added 12/14/2009 09:35:48 by aossipov
    [Wrap text]  [Edit this enclosure]
    I-comments: Added 12/14/2009 09:35:48 by aossipov
    [Unwrap text]  [Edit this enclosure]
    I-comments: Added 12/14/2009 09:35:48 by aossipov
    [Unwrap text]  [Edit this enclosure]
    J-comments: Added 12/14/2009 06:19:04 by dwhitejrThis bug is not accurate.  The doc is correct.
    The original ASA-5510s shipped with 4 DIMM sockets.  Only after production for
    about a year was the 5510 re-worked and we came out with a cost reduced model
    which reduced the DIMM sockets from 4 to 1.  This was verified by MFG.
    [Wrap text]  [Edit this enclosure]
    J-comments: Added 12/14/2009 06:19:04 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    J-comments: Added 12/14/2009 06:19:04 by dwhitejr
    [Unwrap text]  [Edit this enclosure]
    SS-Review: Added 12/13/2009 11:28:45 by aossipov
    [Wrap text]  [Edit this enclosure]
    SS-Review: Added 12/13/2009 11:28:45 by aossipov
    [Unwrap text]  [Edit this enclosure]
    SS-Review: Added 12/13/2009 11:28:45 by aossipov
    -KS

  • VISTA & WIRELESS : HOW TO SOLVE LOCAL ACCESS ONLY?

    Thank you for your reading and possible answer(s),
    UNABLE TO GET "LOCAL AND INTERNET ACCESS" UNDER VISTA, WHILE IT WAS POSSIBLE UNDER XP
    I used to get connected "home-like" with XP to a "secondary wireless router" (SSID: Wlancomtrend - no authentication needed, no work group, signal strength: Excellent), which gets the internet signal from a "main wireless router", plugged to the DSL line (SSID: Wireless - no authenticatin needed, no work group, signal strength: Good / Low).
    I am not the administrator of these routers. I used to get DNS automatically under TCPIP properties.
    VISTA DOESN'T LET ME ACCESS THE INTERNET, THOUGH I MANAGE TO CONNECT TO THE SAME ROUTER
    It says: "Access: local only"; and under Network and sharing center it says "unidentified network". I gess I'm a bit unfamiliar with this OS and do not master all its settings. I also marked off security essentials like Firewall under Windows security center, to prevent any possible internet access blocking. My laptop power plan is also set to "High performance".
    - I suspect my ID network is not well configured. Under System properties (right click on the "My computer icon") > Computer name > network ID > Join a Domain or Workgroup: I'm trying to keep the "This is a home computer" setting, but it goes back to "This computer is part of a business network" all the time, even after reboot. How to fix this, by the way?
    - Under Network and Sharing center > Customize the current connection > location type > i set it to "public".
    Other factors maybe irrelevant: / Sharing discovery > Network discovery: "On" / > file sharing: "On".
    I get DNS automatically under TCPIP properties (as with XP).
    A couple of days ago, VISTA managed to get internet with the "main wireless router" (SSID: Wireless - no authentication needed, signal strength: Good / Low). I just tried to set ID network to "This is a home computer" and rebooted. Under the network window, I also tried to tick a network location or workgroup. This may not be important, though.
    I STILL JUST GET LOCAL ACCESS ONLY WITH MY WIRELESS CONNECTION UNDER VISTA
    Any help? Molta mercé / Many thanks
    Also tried:
    - Automatically Detect Settings checked in internet options
    - Obtain an IP address automatically under TCPIP properties
    - Enable DHCP
    - Disable User Account Control in Security Center
    - Disable most of the Vista security stuff
    - Remove and set up all connections
    - IPv6 off
    - etc.
    Google Occitan www.google.com/intl/oc/ | http://www.eurominority.org/documents/cartes/occitania.gif

    Well, I have been thoroughly frustrated by this networking problem in Vista.  What is so INSIDIOUS about it, is that it can happen spontaneously/periodically.  When it first started happening, I could go for hours with
    no problems.  And then all of the sudden, it's "LOCAL ACCESS ONLY."   I'd even lose my Internet connection completely, but then it would come back momentarily.  Lately though, the problem got worse.  It would happen every 5-10 minutes.
    What really drove me nuts originally is that I had set up a new wireless router: a TP-Link TL-WR941N.  Very nice and powerful.  It can reach up 3 stories in a multi-story home.  I have my computer up on the 3rd floor.  My Internet
    connection was no problem... for MONTHS.  And then, all of the sudden, this "LOCAL ACCESS ONLY" problem started cropping up.  My network connection would change to this, then after a few moments, go back to "LOCAL AND INTERNET".
     I figured it was some kind of "momentary atmospheric problem".  But no.  It continued on, for days and days after it had started.  Why?  Why would this start happening when nothing else had changed?
    Ah, but that's where I was amiss.  You see, Vista gets updated frequently by the powers that be at Microsoft.  And who knows what things they really do?  You don't get a full report.  You just keep getting "important security updates".
     Well, I suspect that at some point, they introduced some changes which affect the networking capability of Vista.  And so, since that point, you'll have periodic problems as I have.
    Microsoft is so focused on Windows-7, that they really can't be bothered with Vista.  AND... I really wonder if they leave defects like this around to give incentive for people to upgrade to Windows-7.  I wouldn't put it past them.
    Well, the main thing is that each person's situation is different.  Some people have 3rd party software that is tripping it up (like Norton or McAfee).  I think a lot of the problem depends upon the type of wireless router you're connected with
    and the type of network (e.g. G vs. N).  So that's why some fixes proposed solve the problem while others do nothing.
    If you try any settings changes, I strongly recommend that you do them one at a time.  Also, keep note of what you've applied.  It is important to be able to roll back those changes if need be.
    So, this was the first friendly user tip that helped me:
    Over the course of several days, I made only one change at a time, then waited to see if the failure occurred again.  I'm an IT networking professional so I based my decisions on my familiarity with network protocols, impact, risk, ease of
    implementation and fallback positions.
    These are the steps I took:
    1.  Installed Teracopy, which takes over the file copying function of Windows.
    http://www.codesector.com/teracopy.php
    2. Disabled IPv6 (Control Panel -> Network Connections -> <your connection> -> Properties)
    3.  Disabled Link Layer Topology Discovery Mapper and Responder (Control Panel -> Network Connections -> <your connection> -> Properties)
    4. Set Power settings to high performance (Control Panel -> Power Options) and disabled the screensaver (Control Panel -> Personalization -> Screen Saver)
    5. Reduced my Linksys router's MTU to 1480 (although I doubt this was part of the solution)
    6. Enabled ECN with the following command "netsh interface tcp set global ecncapability=enabled" from command line (Start -> cmd)
    http://technet.microsoft.com/en-us/library/bb726965.aspx
    Possibly step 6 is all you really need to do.  Please post if this works for you.
    Well, I figured I'd give step #6 a shot.  Why not?  There are a few other command line settings recommended, but I decided to try it alone first:
              netsh interface tcp set global ecncapability=enabled
    At first, this seemed to be the only thing I needed to do.  My "LOCAL ACCESS ONLY" problem seemed to stop happening, observed over a 20 minute period.  It happened again for a moment, but then Internet Access returned right away.  I thought
    the problem was solved... But then "LOCAL ACCESS ONLY" came back and stayed.  I had to run these commands as well:
              netsh interface tcp set global autotuninglevel=disabled
              netsh interface tcp set global rss=disabled
    This WORKED!  I seem to sustain my Internet connection for much longer periods.  LOCAL ACCESS ONLY does pop up sometimes, but it is very brief.  I think it's something to do with my router going into "sleep mode" on the
    connection.  If I try to make a connection to a website, it comes back to life and I have Internet Access again.
    LASTLY...
    There is one other thing I want to mention, in case someone else reading this has the same problem.
    One day after a severe storm that caused a power outage, I started getting "LOCAL ACCESS ONLY."  The wireless router was there and I'd connect to it, but no Internet.  I connected directly to it, hardwired, and STILL had the same problem.  I
    rebooted the router, the cable modem, you name it.  Same problem.  Being directly connected to the cable modem was fine.  Did my router get fried from a power surge during the storm?  It seemed perfectly fine in all other respects.  I
    eventually contacted the TP-LINK customer support.  I learned something new...  the problem was with the IP ADDRESS of the router conflicting with the cable modem.
    By default, your wireless router will take IP address 192.168.1.1.  In some cases, this will be a problem if the cable modem is taking the same IP address
    and is finicky about the address of the wireless router.  It was fine for almost 6 months... why did it become a problem all of the sudden?  Bizarre.  Suspicion was that the ISP changed some things (they remotely reprogram
    the modems from time to time, you know).  The solution?  Give the wireless router a different address (e.g. 192.168.2.1).  It worked!  I was able to get Internet access after that.  Worked fine for several months,
    too...  until I started getting that periodic "LOCAL ACCESS ONLY" again.  But the solution above seems to have addressed it.
    Good luck to those having problems.  I sure wish Microsoft would be more dedicated to its customer base.  But thankfully we've got forums like this which bring people together to help solve each others problems.  :-)

  • Internet Access from Inside to Outside ASA 5510 ver 9.1

    Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
    I get errors like this when I try Packet Tracer:
    (nat-xlate-failed) NAT failed
    (acl-drop) Flow is denied by configured rule
    Version Information:
    Cisco Adaptive Security Appliance Software Version 9.1(4)
    Device Manager Version 7.1(5)
    Compiled on Thu 05-Dec-13 19:37 by builders
    System image file is "disk0:/asa914-k8.bin"
    Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
    Thank You!
    Config:
    ASA5510# sh running-config
    : Saved
    ASA Version 9.1(4)
    hostname ASA5510
    domain-name
    inside.int
    enable password <redacted> encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    passwd <redacted> encrypted
    names
    dns-guard
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    interface Ethernet0/1
    description WAN Interface
    nameif Outside
    security-level 0
    ip address 199.199.199.123 255.255.255.240
    boot system disk0:/asa914-k8.bin
    ftp mode passive
    dns domain-lookup Outside
    dns server-group DefaultDNS
    name-server 199.199.199.4
    domain-name
    inside.int
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    access-list USERS standard permit 10.10.1.0 255.255.255.0
    access-list OUTSIDE-IN extended permit ip any any
    access-list INSIDE-IN extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu Inside 1500
    mtu Outside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-715.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
      nat (Inside,Outside) dynamic interface
    access-group INSIDE-IN in interface Inside
    access-group OUTSIDE-IN in interface Outside
    router rip
    network 10.0.0.0
    network 199.199.199.0
    version 2
    no auto-summary
    route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
    route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
    route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
    route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username <redacted> password <redacted> encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
      parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
       inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http
    https://tools.cisco.com/its/service/oddce/services/DDCEService
       destination address email
    [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
       subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    password encryption aes
    Cryptochecksum:
    <redacted>
    : end
    SH NAT:
    ASA5510# sh nat
    Manual NAT Policies (Section 1)
    1 (Inside) to (Outside) source dynamic any interface
        translate_hits = 0, untranslate_hits = 0
    Auto NAT Policies (Section 2)
    1 (Inside) to (Outside) source dynamic inside-net interface
         translate_hits = 0, untranslate_hits = 0
    SH RUN NAT:
    ASA5510# sh run nat
    nat (Inside,Outside) source dynamic any interface
    object network inside-net
    nat (Inside,Outside) dynamic interface
    SH RUN OBJECT:
    ASA5510(config)# sh run object
    object network inside-net
    subnet 10.0.0.0 255.255.255.0
    description Inside Network Object
    Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

    Hello Mitchell,
    First of all how are you testing this:
    interface Ethernet0/0
    description LAN Interface
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.252
    Take in consideration that the netmask is /30
    The Twice NAT is good, ACLs are good.
    do the following and provide us the result
    packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
    packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
    And provide us the result!
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    Note: Check my website, there is a video about this that might help you.
    http://laguiadelnetworking.com

Maybe you are looking for