ASA 5510 - Setting up ACL to permit access only to the Nat'ed subnet

Similar Messages

• ASA 5510 ignoring configured acl entry?

  Greetings,
    I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
  interface Ethernet0/0.200
  vlan 200
  nameif SITECORP
  security-level 90
  ip address 10.1.4.1 255.255.254.0
  interface Ethernet0/0.207
  vlan 207    
  nameif SITESERVER
  security-level 90
  ip address 10.1.7.1 255.255.255.128
  interface Ethernet0/1.311
  vlan 311
  nameif MOD1BMS
  security-level 100
  ip address 10.1.144.1 255.255.252.0
  I have the following access-lists configured and applied:
  access-list SITECORP_access_in extended permit ip any any
  access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
  access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
  fw# show run object-group
  object-group network SITECORP
  network-object 10.1.4.0 255.255.254.0
  object-group network MOD1BMS
  network-object 10.1.144.0 255.255.252.0
  object-group network SITESERVER
  network-object 10.1.7.0 255.255.255.128
  fw# show run nat-control
  no nat-control
  packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group SITECORP_access_in in interface SITECORP
  access-list SITECORP_access_in extended permit ip any any
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd5641ec8, priority=12, domain=permit, deny=false
          hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
          src ip=0.0.0.0, mask=0.0.0.0, port=0
          dst ip=0.0.0.0, mask=0.0.0.0, port=0
  fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
  <snip>
  Phase: 3
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0xd544e8c8, priority=110, domain=permit, deny=true
  hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
  src ip=0.0.0.0, mask=0.0.0.0, port=0
  dst ip=0.0.0.0, mask=0.0.0.0, port=0
  This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
  Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
  Regards,
    Phil

  Hello Phil,
  That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
  But you do not have to change the Security level, of course that is one work-around but again the solution is :
  -     same-security-traffic permit inter-interface
  Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
  Regards,
  Julio

• WLC ACL For Internet Access Only

  I've implemented  Cicso ISE 3495's with the advanced subscription license.  I've built my policy sets, and authorization profiles.  It all works great!  Here's the issue that I'm having.  I have internal employees who bring in their own devices (BYOD).  I want to allow them onto the secured SSID that I've created, but only want to give them access to the intra/internet.  I've created an ACL (EmpInternetOnly) on the WLC.  Here are my rules:
  I can get to the intranet, with no issue (ACL lines 1-4).  I can't get to the internet whatsoever.  I see everything falling down to the deny statement.  When I remove the deny statement (ACL line 14), and put a permit all, then the internet works with no issue.  Am I missing something here?  I've researched this topic on several message boards, but can't find an answer.  I've tried to run the acl debug, on the controller, but do not see any output when I run it.  It might be because I don't understand the proper format of how to set it up.  Any and all replies would be much appreciated!  Thanks!
  Steve

• Minimum set of ACLs / security access required for getting MBeanHome and Runtime MBeans

  Hi,
  Where can I get information regarding the "minimum set" of ACLs and security access/permission
  required for
  a) Accessing weblogic.management.MBeanHome [Local and Admin interfaces] and RemoteMBeanServer
  interfaces
  b) Use MBeanHome and RemoteMBeanServer interface to look up MBeans [especially
  Runtime MBeans] for Cluster, Server instances, EJBs, JDBC, Execute Queues, etc?
  Any help or hint is appreciated!
  Regards,
  DKV

  "DKV" <[email protected]> wrote in message
  news:3f4e8429$[email protected]..
  >
  Hi,
  Where can I get information regarding the "minimum set" of ACLs andsecurity access/permission
  required for
  I believe this was answered in the management jmx newsgroup.

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• Cisco ASA 5510 site to site VPN only

  Hi,
  Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

  Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
  So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
  As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

• ASA 5510 tunnel dropping

  We have two ASA 5510 firewalls with a tunnel between two sites. The tunnel works without issue until one of the sites experiences a brief outage due to the service provider. The VPN tunnel is not automatically establishing after the outage. It takes a restart of one of the ASA's before it will come back online. How do I get the devices to automatically try to restore the tunnel?
  Chris

  Chris-
  If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.
  *Cisco PIX/ASA 7.x and later, for the tunnel group named 10.165.205.222
  securityappliance(config)#tunnel-group 10.165.205.222 ipsec-attributes
  securityappliance(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
  Hope that helps.

• Reset ASA 5510 back to MFG Settings - Please help??

  A network engineer was in the middle of setting up a customer ASA 5510 Firewall and left. We don't know the IP/UN/PW.
  Is there a way to hard reset the firewall back to manufacture settings?
  Thanks in advance.

  Hi,
  The easiest thing would be to do a password recovery, as described here:
  http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1058131
  Then you can simply reset the password and carry on where he left off.
  HTH
  Andrew.

• RAS and ASA 5510

  I have a ASA 5510 and need to restrict internet access to a defined group in the AD. I was told that you can use RAS server to acomplish this. Has anybody done this before? Any pointers?

  Hi
  this is a 'classic' error and has nothing to do with double authentication, but rather with the fact that you do both radius authentication and radius authorization.
  If you remove this line:
     authorization-server-group RADIUS01
  you'll see it starts to work fine
  In short: when ASA does radius authorization, it sends a radius access-request with the username as the password, which is why you see the second request fail all the time.
  This is because radius authorization is intended to be used when authentication happens using certificates (only) so there is no password.
  Also note that in the Radius protocol, authentication and authorization are not separate things, they both happen in one step. So if the ASA does radius authentication, it already gets the user attributes in the authentication step and it does not make sense to also do a separate authorization step (unless in some very rare scenario where you have 2 radius servers, one for authentication and another one for authorization).
  hth
  Herbert

• How to set-up Guest Client Wireless Access "PIN" with Restricted Access ???

  This is my first time, and, I am not familiar with the rules.
  Is it possible for someone to answer a slightly different question...
  I just bought a TC and hooked it up to my cable modem. I have 3 computers that I want to configure, with the following requirements: WPA/WPA2 security all around, only the 3 computers I have to be allowed use of the TC, and, no listing of the network should appear on remote computers (i.e., a "closed network"). With these basic needs, the three computers I want to be in this network are listed below --- subject to the following ACCESS limitations:
  1. A G4 iMAC (10.5.5), wired to the TC via an Ethernet cable: FULL ACCESS; i.e., shared file access, TM back-ups, HP printer access, internet access;
  2. A MacBook (10.5.5), airport wireless access to the TC: FULL ACCESS, as the iMAC.
  3. A (new generation) PC laptop: VERY LIMITED access --- access only to the internet, so that the TC looks only like a "wireless router." Internet access available at any time of the day or week. It would be good if this client did not have to use any of my passwords, just a "PIN." Also, I do NOT want this PC client to see my printer, and, also, to NOT see my TC base station and NOT have access to my TC/TM disks. To set this up, I entered the PC laptop name and the "MAC" address using the Airport Utility. Then, I selected the "PIN" choice for access, so that this client need not have to ever use or know of any of my passwords. After I selected the "PIN" option, the utility asked me to enter the PC client's PIN. How do I obtain the PC's PIN? This is very confusing to me, so, I apologize to you all (I'm very new at this).
  Hopefully, this TC-only network concern is within the guidelines to be answered.
  Thanks,
  David.

  Dear Smokerz,
  Well, this is where I'm confused. I did use the Airport Utility. I went to the place where it asks for the PIN number. So, I made up an 8-digit number and entered it. I assumed that after I entered the number, it would prompt me to do something with the PC. But, the "Continue" button did not become highlighted. Hence, my confusion. Can you please be more specific as to exactly what I should do using the Airport Utility? The detailed instructions are vague to me, unfortunately.
  Also, with respect to the PC Laptop: I only want it to have access to the internet via the TC (so that the TC acts as a wireless router). And, I want to set up restrictions for limited use of the PC: NO ACCESS to the HP printer, and NO ACCESS to the TM/TC (other than as a wireless router). As before, can you please be more specific as to exactly what I should do using the Airport Utility?
  I must be missing a trivial menu item, so, again, I apologize.
  Thank you,
  David.

• Can Teredo for Microsoft DirectAccess work in the DMZ of an ASA 5510?

  I'd like to find some way to get Teredo to work with our DirectAccess implementation.  To do that, the external facing NIC on the DirectAccess server needs to be configured with a routable public IP address.
  We have an ASA 5510 (running 8.3 (2)) that has switches on the Internal and DMZ interfaces, but connects directly to our Internet router through the External interface.
  So, I do not have a switch that will allow me to connect our DA server directly to the edge.  Short of buying a new switch and putting it outside of the firewall, I wanted to see if there was a way to configure the ASA so that Teredo would work in the DMZ.
  Our current DMZ has 2 barracuda devices (spam and web filters) using static NAT objects.  The IPs are all 192.168.x.
  Is there some way of getting the DirectAccess external interface to work in the DMZ with a public IP address (and our ISP's gateway) without mucking everything else up?  I've read about transparency mode, but I cannot figure out if that would affect our other devices.
  Thanks in advance!
  -Brad

  Hi. I'm not 100% sure.......... But I think With UAG service pack 1 or 2 you no longer require a publicly routatable address for the external interface of the UAG server. You can now add the UAG server to your existing DMZ without affecting the addressing. Then  you allow the Teredo tunneling traffic to the server.
  HTH

• Set up TM w/Limited Access to one laptop & Full Access to another?

  Dear Apple,
  I just received my Apple 1 TB Time Capsule. Can someone please help me with a network configuration I want to set up?
  I have a cable modem, and, three computers: a G4 iMAC (system 10.5.5), an Apple MacBook (system 10.5.5), and, a PC laptop.
  The Time Capsule is connect directly to the cable modem.
  Regarding the computers:
  (1) I want the G4 iMAC to connect directly, via an Ethernet cable, to the Time Capsule, WITH FULL ALLOWED ACCESS to the Time Capsule and to the back-up function of the Time Machine feature, and, with allowed access to my HP inkjet printer (class 6110);
  (2) I also want the MacBook laptop to wirelessly link to the Time Capsule via the Airport utility on the laptop, and, WITH FULL ALLOWED ACCESS to the Time Capsule and to the back-up function of the Time Machine feature (using WPA/WPA2 security, and, without the network name visible to third parties), and, WITH allowed access to my HP inkjet printer (class 6110);
  (3) I want the PC laptop to wirelessly link to the Time Capsule (using WEP security), but WITHOUT ACCESS to the Time Machine, WITHOUT access to the back-ups on the iMAC, WITHOUT access to the back-ups on the MacBook, and, WITHOUT access to the inkjet printer --- I only want the PC to use the Time Capsule as a WIRELESS ROUTER so that the PC laptop can access the internet.
  (4) And, finally, I want to specify (Time-Capsule/Time-Machine/server ) access ONLY to the iMAC and the MacBook, so that others cannot gain any access.
  I specifically need help to set up and configure the Time Capsule so that the PC laptop, as stated above, should have limited access to the Time Capsule --- namely, only to access the internet, and, not even be aware of stored data on the Time Capsule, not even be aware of the inkjet printer, and, not even see my WPA network name when the PC scans for wireless devices.
  I also want the iMAC and the MacBook to have access to each other’s data stored on the Time Capsule (like a common server).
  I have an old D-Link DI-624 wireless router that I used before buying the Time Capsule, which is available, if needed. Hopefully, I can configure the Time Capsule so that I would not need the old D-Link.
  Thank you in advance,
  David.

  Not a problem. I just wanted to point out that you won't get any "official" answers from Apple on this board. It is all user to user and we only know what we know and some of the time it is conjecture on how to fix a problem if we've never seen it before. I try to point out when I'm guessing, but I don't always remember to rephrase my statements.
  I'm not sure how to set up the Time Machine, but look for an option to only serve out files via AFP (Apple Filing Protocol) only. Turn off SMB sharing, if possible. The PC won't be able to understand AFP--it communicates via SMB (Server Message Block). I would think you should be able to set up
  If the PC can use WPA or WPA2, use that instead of WEP. There is no way to set up special passwords for individual users on a wireless network. It is all or nothing. Now, the wireless password could be different than the password needed to access the files, I think. So, you could set up a simple WPA password for wireless, but set up user accounts with strong passwords for the file server. Again, I don't have Time Capsule, so I don't know how to set it up. Hopefully, I've put enough keywords in for you to look through the configuration options and get it set up.
  As long as this thread stays open and unanswered, more people might look in and have a more specific answer for you.

• ASA 5510 - Memory : 1 Slot or 4 Slots?

  Is there a way of ascertaining whether my 5510's have 1 memory slot or 4 memory slots without having to open the chassis?
  I need to order the appropriate memory  upgradfe kits.
  Thanks.                            

  Manufacturing may be able to tell us if the unit was shipped with 1 or 4 slots with the serial number.
  CSCtd80603    DOC: Only One Memory Slot Should be Used on ASA 5510
  http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/guide/procs.html#wp1075832
  For memory upgrade in the Cisco ASA 5510 with
  four memory sockets, use slot 1 - P13 and note that only one slot must
  be populated at all times. For optimum performance in the
  Cisco ASA 5520 and the Cisco ASA 5540 , install the DIMMs in slots P13
  and P15, if you are populating only two slots.
  [Wrap text]  [Edit this enclosure]
  R-comments: Added 03/12/2010 16:37:30 by sheema
  [Unwrap text]  [Edit this enclosure]
  R-comments: Added 03/12/2010 16:37:30 by sheema
  [Unwrap text]  [Edit this enclosure]
  N-comments: Added 02/26/2010 09:19:09 by aossipov
  [Wrap text]  [Edit this enclosure]
  N-comments: Added 02/26/2010 09:19:09 by aossipov
  [Unwrap text]  [Edit this enclosure]
  N-comments: Added 02/26/2010 09:19:09 by aossipov
  [Unwrap text]  [Edit this enclosure]
  Release-note: Modified 02/26/2010 09:18:35 by aossipovSymptom:
  Cisco ASA 5500 Series Adaptive Security Appliance Hardware Installation Guide mistakenly instructs to use slots 1 and 3 or slots 2 and 4 for memory upgrades on some ASA 5510 boxes with 4 memory sockets. On the contrary, the Dual In-line Memory Module (DIMM) should only be inserted in slot 1 on all ASA 5510 devices; slots 2-4 should not be used. This defect is filed to correct the documentation.
  [Wrap text]  [Edit this enclosure]
  Release-note: Modified 02/26/2010 09:18:35 by aossipov
  [Unwrap text]  [Edit this enclosure]
  Release-note: Modified 02/26/2010 09:18:35 by aossipov
  [Unwrap text]  [Edit this enclosure]
  Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
  [Wrap text]  [Edit this enclosure]
  Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  Affected_Customer: Added 02/10/2010 13:55:22 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
  [Wrap text]  [Edit this enclosure]
  MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  MFG-Info: Added 02/10/2010 13:49:50 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  Eng-notes: Added 12/14/2009 09:42:14 by aossipov
  [Wrap text]  [Edit this enclosure]
  Eng-notes: Added 12/14/2009 09:42:14 by aossipov
  [Unwrap text]  [Edit this enclosure]
  Eng-notes: Added 12/14/2009 09:42:14 by aossipov
  [Unwrap text]  [Edit this enclosure]
  I-comments: Added 12/14/2009 09:35:48 by aossipov
  [Wrap text]  [Edit this enclosure]
  I-comments: Added 12/14/2009 09:35:48 by aossipov
  [Unwrap text]  [Edit this enclosure]
  I-comments: Added 12/14/2009 09:35:48 by aossipov
  [Unwrap text]  [Edit this enclosure]
  J-comments: Added 12/14/2009 06:19:04 by dwhitejrThis bug is not accurate.  The doc is correct.
  The original ASA-5510s shipped with 4 DIMM sockets.  Only after production for
  about a year was the 5510 re-worked and we came out with a cost reduced model
  which reduced the DIMM sockets from 4 to 1.  This was verified by MFG.
  [Wrap text]  [Edit this enclosure]
  J-comments: Added 12/14/2009 06:19:04 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  J-comments: Added 12/14/2009 06:19:04 by dwhitejr
  [Unwrap text]  [Edit this enclosure]
  SS-Review: Added 12/13/2009 11:28:45 by aossipov
  [Wrap text]  [Edit this enclosure]
  SS-Review: Added 12/13/2009 11:28:45 by aossipov
  [Unwrap text]  [Edit this enclosure]
  SS-Review: Added 12/13/2009 11:28:45 by aossipov
  -KS

• VISTA & WIRELESS : HOW TO SOLVE LOCAL ACCESS ONLY?

  Thank you for your reading and possible answer(s),
  UNABLE TO GET "LOCAL AND INTERNET ACCESS" UNDER VISTA, WHILE IT WAS POSSIBLE UNDER XP
  I used to get connected "home-like" with XP to a "secondary wireless router" (SSID: Wlancomtrend - no authentication needed, no work group, signal strength: Excellent), which gets the internet signal from a "main wireless router", plugged to the DSL line (SSID: Wireless - no authenticatin needed, no work group, signal strength: Good / Low).
  I am not the administrator of these routers. I used to get DNS automatically under TCPIP properties.
  VISTA DOESN'T LET ME ACCESS THE INTERNET, THOUGH I MANAGE TO CONNECT TO THE SAME ROUTER
  It says: "Access: local only"; and under Network and sharing center it says "unidentified network". I gess I'm a bit unfamiliar with this OS and do not master all its settings. I also marked off security essentials like Firewall under Windows security center, to prevent any possible internet access blocking. My laptop power plan is also set to "High performance".
  - I suspect my ID network is not well configured. Under System properties (right click on the "My computer icon") > Computer name > network ID > Join a Domain or Workgroup: I'm trying to keep the "This is a home computer" setting, but it goes back to "This computer is part of a business network" all the time, even after reboot. How to fix this, by the way?
  - Under Network and Sharing center > Customize the current connection > location type > i set it to "public".
  Other factors maybe irrelevant: / Sharing discovery > Network discovery: "On" / > file sharing: "On".
  I get DNS automatically under TCPIP properties (as with XP).
  A couple of days ago, VISTA managed to get internet with the "main wireless router" (SSID: Wireless - no authentication needed, signal strength: Good / Low). I just tried to set ID network to "This is a home computer" and rebooted. Under the network window, I also tried to tick a network location or workgroup. This may not be important, though.
  I STILL JUST GET LOCAL ACCESS ONLY WITH MY WIRELESS CONNECTION UNDER VISTA
  Any help? Molta mercé / Many thanks
  Also tried:
  - Automatically Detect Settings checked in internet options
  - Obtain an IP address automatically under TCPIP properties
  - Enable DHCP
  - Disable User Account Control in Security Center
  - Disable most of the Vista security stuff
  - Remove and set up all connections
  - IPv6 off
  - etc.
  Google Occitan www.google.com/intl/oc/ | http://www.eurominority.org/documents/cartes/occitania.gif

  Well, I have been thoroughly frustrated by this networking problem in Vista.  What is so INSIDIOUS about it, is that it can happen spontaneously/periodically.  When it first started happening, I could go for hours with
  no problems.  And then all of the sudden, it's "LOCAL ACCESS ONLY."   I'd even lose my Internet connection completely, but then it would come back momentarily.  Lately though, the problem got worse.  It would happen every 5-10 minutes.
  What really drove me nuts originally is that I had set up a new wireless router: a TP-Link TL-WR941N.  Very nice and powerful.  It can reach up 3 stories in a multi-story home.  I have my computer up on the 3rd floor.  My Internet
  connection was no problem... for MONTHS.  And then, all of the sudden, this "LOCAL ACCESS ONLY" problem started cropping up.  My network connection would change to this, then after a few moments, go back to "LOCAL AND INTERNET".
   I figured it was some kind of "momentary atmospheric problem".  But no.  It continued on, for days and days after it had started.  Why?  Why would this start happening when nothing else had changed?
  Ah, but that's where I was amiss.  You see, Vista gets updated frequently by the powers that be at Microsoft.  And who knows what things they really do?  You don't get a full report.  You just keep getting "important security updates".
   Well, I suspect that at some point, they introduced some changes which affect the networking capability of Vista.  And so, since that point, you'll have periodic problems as I have.
  Microsoft is so focused on Windows-7, that they really can't be bothered with Vista.  AND... I really wonder if they leave defects like this around to give incentive for people to upgrade to Windows-7.  I wouldn't put it past them.
  Well, the main thing is that each person's situation is different.  Some people have 3rd party software that is tripping it up (like Norton or McAfee).  I think a lot of the problem depends upon the type of wireless router you're connected with
  and the type of network (e.g. G vs. N).  So that's why some fixes proposed solve the problem while others do nothing.
  If you try any settings changes, I strongly recommend that you do them one at a time.  Also, keep note of what you've applied.  It is important to be able to roll back those changes if need be.
  So, this was the first friendly user tip that helped me:
  Over the course of several days, I made only one change at a time, then waited to see if the failure occurred again.  I'm an IT networking professional so I based my decisions on my familiarity with network protocols, impact, risk, ease of
  implementation and fallback positions.
  These are the steps I took:
  1.  Installed Teracopy, which takes over the file copying function of Windows.
  http://www.codesector.com/teracopy.php
  2. Disabled IPv6 (Control Panel -> Network Connections -> <your connection> -> Properties)
  3.  Disabled Link Layer Topology Discovery Mapper and Responder (Control Panel -> Network Connections -> <your connection> -> Properties)
  4. Set Power settings to high performance (Control Panel -> Power Options) and disabled the screensaver (Control Panel -> Personalization -> Screen Saver)
  5. Reduced my Linksys router's MTU to 1480 (although I doubt this was part of the solution)
  6. Enabled ECN with the following command "netsh interface tcp set global ecncapability=enabled" from command line (Start -> cmd)
  http://technet.microsoft.com/en-us/library/bb726965.aspx
  Possibly step 6 is all you really need to do.  Please post if this works for you.
  Well, I figured I'd give step #6 a shot.  Why not?  There are a few other command line settings recommended, but I decided to try it alone first:
            netsh interface tcp set global ecncapability=enabled
  At first, this seemed to be the only thing I needed to do.  My "LOCAL ACCESS ONLY" problem seemed to stop happening, observed over a 20 minute period.  It happened again for a moment, but then Internet Access returned right away.  I thought
  the problem was solved... But then "LOCAL ACCESS ONLY" came back and stayed.  I had to run these commands as well:
            netsh interface tcp set global autotuninglevel=disabled
            netsh interface tcp set global rss=disabled
  This WORKED!  I seem to sustain my Internet connection for much longer periods.  LOCAL ACCESS ONLY does pop up sometimes, but it is very brief.  I think it's something to do with my router going into "sleep mode" on the
  connection.  If I try to make a connection to a website, it comes back to life and I have Internet Access again.
  LASTLY...
  There is one other thing I want to mention, in case someone else reading this has the same problem.
  One day after a severe storm that caused a power outage, I started getting "LOCAL ACCESS ONLY."  The wireless router was there and I'd connect to it, but no Internet.  I connected directly to it, hardwired, and STILL had the same problem.  I
  rebooted the router, the cable modem, you name it.  Same problem.  Being directly connected to the cable modem was fine.  Did my router get fried from a power surge during the storm?  It seemed perfectly fine in all other respects.  I
  eventually contacted the TP-LINK customer support.  I learned something new...  the problem was with the IP ADDRESS of the router conflicting with the cable modem.
  By default, your wireless router will take IP address 192.168.1.1.  In some cases, this will be a problem if the cable modem is taking the same IP address
  and is finicky about the address of the wireless router.  It was fine for almost 6 months... why did it become a problem all of the sudden?  Bizarre.  Suspicion was that the ISP changed some things (they remotely reprogram
  the modems from time to time, you know).  The solution?  Give the wireless router a different address (e.g. 192.168.2.1).  It worked!  I was able to get Internet access after that.  Worked fine for several months,
  too...  until I started getting that periodic "LOCAL ACCESS ONLY" again.  But the solution above seems to have addressed it.
  Good luck to those having problems.  I sure wish Microsoft would be more dedicated to its customer base.  But thankfully we've got forums like this which bring people together to help solve each others problems.  :-)

• Internet Access from Inside to Outside ASA 5510 ver 9.1

  Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
  I get errors like this when I try Packet Tracer:
  (nat-xlate-failed) NAT failed
  (acl-drop) Flow is denied by configured rule
  Version Information:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  Device Manager Version 7.1(5)
  Compiled on Thu 05-Dec-13 19:37 by builders
  System image file is "disk0:/asa914-k8.bin"
  Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
  Thank You!
  Config:
  ASA5510# sh running-config
  : Saved
  ASA Version 9.1(4)
  hostname ASA5510
  domain-name
  inside.int
  enable password <redacted> encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd <redacted> encrypted
  names
  dns-guard
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Ethernet0/1
  description WAN Interface
  nameif Outside
  security-level 0
  ip address 199.199.199.123 255.255.255.240
  boot system disk0:/asa914-k8.bin
  ftp mode passive
  dns domain-lookup Outside
  dns server-group DefaultDNS
  name-server 199.199.199.4
  domain-name
  inside.int
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  access-list USERS standard permit 10.10.1.0 255.255.255.0
  access-list OUTSIDE-IN extended permit ip any any
  access-list INSIDE-IN extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Inside 1500
  mtu Outside 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-715.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
    nat (Inside,Outside) dynamic interface
  access-group INSIDE-IN in interface Inside
  access-group OUTSIDE-IN in interface Outside
  router rip
  network 10.0.0.0
  network 199.199.199.0
  version 2
  no auto-summary
  route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
  route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
  route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
  route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Inside
  ssh timeout 60
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username <redacted> password <redacted> encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
     inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
     destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
     subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  password encryption aes
  Cryptochecksum:
  <redacted>
  : end
  SH NAT:
  ASA5510# sh nat
  Manual NAT Policies (Section 1)
  1 (Inside) to (Outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  Auto NAT Policies (Section 2)
  1 (Inside) to (Outside) source dynamic inside-net interface
       translate_hits = 0, untranslate_hits = 0
  SH RUN NAT:
  ASA5510# sh run nat
  nat (Inside,Outside) source dynamic any interface
  object network inside-net
  nat (Inside,Outside) dynamic interface
  SH RUN OBJECT:
  ASA5510(config)# sh run object
  object network inside-net
  subnet 10.0.0.0 255.255.255.0
  description Inside Network Object
  Hi all,Hello everyone, I need some help before my head explodes. Idddddddd

  Hello Mitchell,
  First of all how are you testing this:
  interface Ethernet0/0
  description LAN Interface
  nameif Inside
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  Take in consideration that the netmask is /30
  The Twice NAT is good, ACLs are good.
  do the following and provide us the result
  packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
  packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
  And provide us the result!
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  Note: Check my website, there is a video about this that might help you.
  http://laguiadelnetworking.com