Block / Deny ICMP Traffic cisco asa 5512-x
hi expert
I have cisco asa 5512x for configure as firewall and sslvpn.
my customer want block/Deny icmp traffic from interface outside without block anything.
i've configure form cli :
icmp deny any outside
but from outside can't open sslvpn url and asdm.
Hi,
Access for the Anyconnect/ASDM does not depend on the ICMP permit/deny commands on the ASA device.
If you want to block the Pings to the ASA interface use the command:-
icmp deny any outside etc.
What do you mean by "i can ping from outside." Plzz explain.
Thanks and Regards,
Vibhor Amrodia
Similar Messages
-
i have an Cisco ASA 5512 working as Firewall
We configure one ASA interface connecting to Cisco router 1700 with leasd line internet service without any problem.
Now we have an extra internet connection ADSL 2MB connected to another ASA interface
I configure the ASA like this :
1- Enable interface 2 on ASA and connect it to ADSL router (interface ip 192.168.1.100 from the same ADSL router {192.168.1.1}range )
2- Create Access rule say source (My computer ip) destination ADSL network range action accept
3- Create Nat Rule say source interface inside source ip (my ip) destination interface ADSL ip 192.168.1.100 destination source router ip 192.168.1.1
4- Add static route say ADSL interface source ip my ip gateway ADSL router
This steps what I do but it doesn't work.
Thanks in advanceFYI for internet access I doubt this will work because if you configure two default route then ASA won't distribute traffic across two interface, first default route will be the one where ASA will send traffic. However from your description it is not very clear which IP address you are trying to ping and how exactly rules you have configured.
Either attach your config or paste the relevant config in post. -
How to Configure Cisco ASA 5512 for multiple public IP interfaces
Hi
I have a new ASA 5512 that I would like to configure for multiple public IP support. My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
Here is my concept. We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access. We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections. I have installed an add on license that allows multiple outside interfaces along with a number of other features.
Outside Networks (I've changed the IPs for security purposes)
Outside1 E 0/0 : 74.55.55.210 255.255.255.240 gateway 74.55.55.222
Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
Inside1 : E 0/1 192.168.255.1 255.255.248.0
Inside2 : E 0/3 172.16.255.1 255.255.248.0
My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2. The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.
I can post my config up as needed. I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app. My ASA 5512 is at 9.1.
Thanks in advance for the suggestions/helpI have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
To the original poster
It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
HTH
Rick -
Cisco ASA 5512, IP NVR port forwarding
Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise -
Cisco ASA 5512 Transparent mode
Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
interface BVI1
ip address 192.168.10.10 255.255.255.0
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick -
Cisco ASA 5512-X slow upload speeds
drop rate on the internet link.... you sure the ISPs router is set to auto/auto on the duplex/speed?
you might need to force the duplex/speed at both endsOn my Internet link I get the following:Interface GigabitEthernet0/3 "INTERNET_LINK", is up, line protocol is up Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address 54a2.7459.d17c, MTU 1500 IP address 10.6.72.146, subnet mask 255.255.255.248 625090952 packets input, 238504080257 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause input, 0 resume input 0 L2 decode drops 873663838 packets output, 1085237392896 bytes, 0 underruns 0 pause output, 0 resume output 0 output errors, 0 collisions, 5 interface resets 0 late collisions, 0 deferred 0 input reset drops, 30 output reset drops input queue (blocks free curr/low): hardware (472/427) output...
-
Cisco ASA 5520 traffic between interfaces
Hello,
I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
ciscoasa# ping esx_management 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping home_network 192.168.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Thank you in advance.Hi,
Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
Static Identity NAT
static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
OR
NAT0
access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
nat (home_network) 0 access-list HOMENETWORK-NAT0
Hope this helps
- Jouni -
Configuring "Guest Wi-Fi" VLAN on ASA 5512
I'm attempting to setup a new vlan on my Cisco ASA 5512 running version 8.6(1)2. This vlan will provide access for wireless "guest" AP's in my network. I have the guest vlan setup through to my switches, I'm able to dedicate a switch port to VLAN 40 and aquire an IP address in the 10.40.10.0/24 network. Below is excerpt of what I think is the relevent config information. I'm trying to route guest traffic out my "outside" interface.
Obvious to me I'm missing another command in here. Any help would be greatling appreciated. If more the running-config is needed please advise. Thanks in advance!
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 (public IP at X.X.X.X)
access-list guestwireless_access_in extended permit ip 10.40.10.0 255.255.255.0 interface outside
mtu guestwireless 1500
access-group guestwireless_access_in in interface guestwireless
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwirelessStripped out some config pertaining to crypto and credentials
--------------Config Below-----------------------------------
: Saved
ASA Version 8.6(1)2
hostname ASA
domain-name company.local
names
interface GigabitEthernet0/0
description ISP Interface
nameif outside
security-level 100
ip address ##.##.###.### 255.255.255.248
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface GigabitEthernet0/1.40
description Guest Wireless Network
vlan 40
nameif guestwireless
security-level 50
ip address 10.40.10.5 255.255.255.0
interface GigabitEthernet0/2
nameif inside-tempnet
security-level 0
ip address 172.29.0.252 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name company.local
same-security-traffic permit inter-interface
object network NETWORK_OBJ_10.100.10.0_24
subnet 10.100.10.0 255.255.255.0
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.100.10.0_24 any
access-list inside-tempnet_access_in extended permit ip 172.29.0.0 255.255.255.0 object NETWORK_OBJ_10.100.10.0_24
access-list Split_Tunnel_List standard permit 172.29.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu guestwireless 1500
mtu inside-tempnet 1500
mtu management 1500
ip local pool ClientVPN-DHCP-Pool 10.100.10.50-10.100.10.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
asdm history enable
arp timeout 14400
nat (inside-tempnet,outside) source static any any destination static NETWORK_OBJ_10.100.10.0_24 NETWORK_OBJ_10.100.10.0_24 no-proxy-arp route-lookup
nat (guestwireless,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside-tempnet_access_in in interface inside-tempnet
route outside 0.0.0.0 0.0.0.0 ##.##.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 0.0.0.0 0.0.0.0 inside-tempnet
http 172.29.0.0 255.255.255.0 inside-tempnet
http redirect inside-tempnet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
dhcpd address 10.40.10.50-10.40.10.250 guestwireless
dhcpd dns 8.8.8.8 interface guestwireless
dhcpd enable guestwireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside-tempnet
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles VPNConnect disk0:/vpnconnect.xml
anyconnect enable
tunnel-group-list enable
group-policy "GroupPolicy_VPN Connect" internal
group-policy "GroupPolicy_VPN Connect" attributes
wins-server none
dns-server value #.#.#.#
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value company.local
webvpn
anyconnect profiles value VPNConnect type user
tunnel-group "VPN Connect" type remote-access
tunnel-group "VPN Connect" general-attributes
address-pool ClientVPN-DHCP-Pool
authentication-server-group compnay.LOCAL LOCAL
default-group-policy "GroupPolicy_VPN Connect"
tunnel-group "VPN Connect" webvpn-attributes
group-alias "VPN Connect" enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
: end -
Hello,
We have recently implemented a new Cisco ASA 5512-X firewall replacing and old Cisco ASA 5505 Firewall.
We have a number of issues which we are encountering and have so far been unable to rectify. The config was copied visually across to the new firewall from the old so the majority of the config matches the old firewall. I have attached the config.
1. VOIP Phones not conencting to ntp uk.pool.ntp.org - Our VOIP network is on its own vlan inside the network. The phones were able to conenct to the ntp externally before the new firewall was inplace. I have tested numerous access rules but with no luck.
2. VPN - We have setup a site to site VPN between the new Firewall and a SonicWall. The SonicWALL is showing the following errors from our firewall
07/10/2013 12:38:24.192
Info
VPN IKE
Received IKE SA delete request
77.107.90.203, 500
164.40.213.246, 500
VPN Policy: New_VPN
6
07/10/2013 12:38:24.192
Warning
VPN IKE
Received notify. NO_PROPOSAL_CHOSEN
77.107.90.203, 500
164.40.213.246, 500
7
07/10/2013 12:38:24.160
Info
VPN IKE
IKE Initiator: Start Quick Mode (Phase 2).
164.40.213.246, 500
77.107.90.203, 500
VPN Policy: New_VPN
3. Firewall rules for outside coming in do not allow pointing to the NAT object of a device we have to use the internal network object instead.
Any help would be much appreciated.
Many Thanks
JamesNo, there is no web filtering feature build in to ASA5512-X, however you can configure ASA5512-X to send web traffic towards cloud based (Cisco ScanSafe) web filtering solution. You would need to purchase ScanSafe user base license.
-
ASA 5512-X an out of date ASDM-IDM?
The cisco ASA 5512-X we have recently purchased comes with an out of date ASDM-IDM. It comes with version 6.6(1) which is not compatible with the asa version 9.1 is this normal?
I haven't opened a new one in the past couple of months but ASDM 6.6(1) is compatible with ASA software 8.6(1). That was the version most units were shipping with for a while as it was the initial release that introduced support for the 5500- X series.
If the box shipped new with 9.1 ASA software then the ASDM should be at least 7.1(1) - and the recommended version is 7.2(1). Reference.
It's easy enough to upgrade ASDM - just copy the file over and change the "asdm image" command to point to it.
(By the way, you'd get better visibility of a question like this in the Security - Firewalling forum.) -
Excessive ICMP traffic on server
Hello,
I am experiencing excessive ICMP traffic on all my Netware 6.5 SP6
servers. This ICMP traffic originates at the server; not from a
workstation. Tried to search KB but no luck. I want to know if any
netware products rely on ICMP communication and if I can disable ICMP at
the server console. Currently we have ACLs on all core switches denying
ICMP traffic. However, all the traffic on the network itself is causing
congestion.
To give you an idea of the problem, this AM I tried to download a 1MB file
from a remote site and it took an ave. of 5 min. I then, powered off the
NW server, checked the logs on core switch, ICMP traffic literally
disappeared, and tried the same download again; this time only taking 40
sec.
Please help! This is affecting my network drastically!!!There are different scenarios in which ICMP packets copuld be generated.
You should really capture the ICMP packets to see what is really going on.
Some possible cases are:
- ICMP packets used for costing (e.g. determinining the distance of other
servers to see which server might be the best to talk to)
- ICMP replies in case of error conditions (can't fragmnet and no such
protocol replies)
while filtering ICMP traffic in itself is a good idea, blankly turning it
off completely is generally a very bad idea as some communications really
need ICMP and perform badly without out (for instance MTU detection will
not work without ICMP)
Marcel Cox (using XanaNews 1.18.1.6) -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
Cisco asa 5505: No traffic lan to wan with IPv6
Hello everybody,
I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
This is my configuration.
interface Vlan1
nameif inside
security-level 100
ip address PRIV-Saturn1 255.255.255.0
ipv6 address fc00::1/7
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address PUBLIC26 255.255.255.248
ipv6 address xxxx:yyyy:67:36::2/64
ipv6 enable
ipv6 nd suppress-ra
access-list Dynamic_Filter_ACL extended permit tcp any6 any6
ipv6 route outside ::/0 xxx:yyyy:67:36::1
Am I omitting anything?
Thanks in advance for the help.
Jos PSince you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT. -
Cisco ASA 5505 Firewall Not Allowing Incoming Traffic
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq wwwHey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA. -
UDP Broadcast Traffic from Cisco ASA
Hi,
I want to know that, like Cisco IOS Router, Does Cisco ASA pass the UDP Broadcast traffic e.g., TFTP etc...?
Any thoughts ???
BR,
Mubasher SultanHi Mubasher,
Unlike the router the ASA does not forward any kind of broadcast packet (with the exemption of the DHCP broadcasts when DHCP Relay is enabled).
I understand that your DHCP server is providing here the IP address for your TFTP servers. I guess you are using DHCP option 150.
So if the DHCP server is on one interface and the client is on another you can configure DHCP Relay on your ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
In regards of the TFTP requests these will be normal unicast packets as Cadet said so just make sure that you have the proper ACLs and NAT rules for that.
Maybe you are looking for
-
It's disabled and tells me to connect to iTunes. But when I do that, iTunes wont detect the iPod.I have put the iPod in USB- mode, and by that I mean I have tried connecting with holding the home button when connecting the USB. Help?
-
Hi everyone I am new in crystal reporting and using Crystal Reports XI release 2. Firstly I should explain what I need to have. In my database I have got a parent table called Initiatives and a child table called benefits. One initiative ha
-
Adobe bridge is slowing down my mac pro how do I fix?
Adobe bridge is slowing down my mac pro how do I fix
-
Hi Experts, I have created one RFC where i have written BDC code for Gate Pass Number generation through TCode LECI. It is very well working in R/3 but while running this RFC in XI after passing data , it is not creating the Gate Pass Number. Data pa
-
How do you fix the ringer on the iPhone 4s?
I have an iPhone 4s and the ringer is not working. Works fine in my car with Bluetooth. Checked all my settings, have the latest software... does anyone know how to fix this?