Cisco ISA firewall

Similar Messages

• Cisco ISA 550 NAT problem

  Hi all,
  I have bought a Cisco ISA 550 small business firewall and I had to face to a problem when I configure the NAT.
  My scenario is,
  I have a mail server in my LAN which is need to be access from both inside and outside
  My lan network is 192.168.0.0/24
  I have a PPPoE WAN connection with a static IP
  Mail server IP 192.168.0.15/ 24
  There is not a DMZ zone. I need to NAT this server to my WAN IP and that WAN IP is also used
  to provide internet connection to other LAN users. I could do this with my previous ADSL
  router and i tried to do this with firewall but couldn't acheive the task.
  Hope a help from some expert.
  Thanks,
  Charith

  Do you want that your internal clients connect to the WAN IP and get natted to the local LAN IP?
  Then open the Maintain and Operate Guide at cisco.com and search for "hairpinning".
  Michael
  Please rate all helpful posts

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• Hi, I am getting the following error while booting up cisco asa firewall .

  Hi,
  I'm getting the following error form console when booting up Cisco ASA firewall...
  How do we determine the issue if its hardware or software related?
  ERROR: Type:2; Severity:80; Class:1; Subclass:3; Operation: 3

  Dear Ravi,
  You are getting the message of time out because you must be loading huge volume of data and BW runs for a specific peroid of time and then it gives a dump with message as processing is overdue.what you can do is first you should drop the indexes of the cube and then you should manually load the data-packets.I think you can again load the failed data package.select the failed data package in the monitor screen.then go to edit(on upper left next to monitor).In Edit select Init update then select "settings for further update" now select that process should be run in the background.Now right click on the failed datapacket and select Manual update.
  Hope this works for you.
  With Regards,
  Prafulla

• Configure our own Public IP pool on Cisco ASA firewall

  Hey everyone,
  I need some assistance on the below requirement...Today we have only one internet circuit connected with our external firewall where we are using /26 public IP address for all external traffic. Now we managed to obtain our own subnet (/24) from ARIN and would like to configure on the firewall/internet router for all external services. Is my approach right in order to configure our own subnet on the firewall?
  1. Create a dedicated interface on the Cisco ASA firewall for new public pool...if there is no free interface; then virtual interface also should be fine.
  2. Make sure an appropriate route towards Internet router ( or create default route towards OUTSIDE interface)
  3. Speak to Internet service provider and explain that you are planning to use this specific public IP address on your n/w and ask them to publish in their BGP world with proper prefix#
  4.Implement one external static NAT and make sure everything works as expected.
  Thanks in advance Network Experts!!!
  Regards
  VGS

  You have the basics. but I do have a couple comments / questions
  1. What ASA are you running? If you do not have a free interface and plan to create subinterfaces, you will need to remove the configuration of one of the interfaces, then create subinterfaces and then re-apply the configuration you removed to one of the subinterfaces there...So, why not just overwrite the existing external interface?  Also, keep in mind that the ASA does not support two default routes.  (though I have heard some rumours that this might be added to the 9.3 release, but I have not had this confirmed)
  4. You don't really say what you are going to use this new setup for, but if you are using it for internet then adding just a static NAT will not be enough, you will also need a dynamic NAT.
  Please remember to select a correct answer and rate helpful posts

• Oracle 8i through CISCO PIX Firewall

  HI all,
  I Need some help here with CISCO PIX Firewall 506e series. The ORACLE Server 8i on Windows NT.4, placed at the inside interface of PIX Firewall.
  The Firewall has been configured to allow all the port to come from outside interface (this is where the Oracle client reside). When the client from outside try the oracle client application (where the login promt for username and password) when pressed enter the error msg
  =============================
  oracle error con 440
  unable to make connection oracle - 12514 tns.couldn't resolve service name
  the menu was not connectable with oracle. a menu is ended
  ==============================
  Many thanks for PIX and Oracle config.
  HATO

  Varun,
  Thank you for your help.
  I have one quick question, this pix is not in failover, it is standalone but it has Unrestricted license. It only has 64Mb of Ram. Will I have any problems based on your link recommendation?
  Memory Requirements:
  If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(2). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses
  What is the difference between the restricted Licenses and the Unrestricted Licenses?
  Thanks!

• I Want Buy Cisco ASA Firewall Supporting SIP

  Hello Guys I want to buy cisco ASA Firewall , that support SIP and Session Border Controller  (SBC) So please can any one tell me the most power full that support this protocols ,, Than you guys

  Hi Vijay,
  If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
  HTH,

• Connecting through ISA firewall

  I am tring to connect Contribute 3.11 through our company ISA
  authentication (firewall). The network provider tells me that ports
  20 and 21 are open for FTP but about halfway through the connection
  process, I get prompted for authentication username and password. 3
  tries and I'm out
  . I have also tried full domainname\username with
  password and that bombs too. Has anybody else seen this or know how
  to get around it?
  I can connect just fine on my home PC so I know my
  destination settings and permissions are OK. Any help is greatly
  appreciated.

  1. You can specify proxy settings in Contribute by going to
  Edit > Preferences > FTP Proxy.
  2. try disabling any antivirus software or firewall running
  on your system.
  3. make sure you install the ISA Firewall Client in your
  System:
  http://www.isaserver.org/tutorials/Manually_installing_the_ISA_firewall_client.html
  4. to verify if FTP is indeed enabled, try to type this in
  IE: ftp://ftp.irs.gov
  see if you can access the folders; if not, your system admin
  is lying; ftp is not enabled
  5. go to control panel > internet options > advanced;
  make sure that user http 1.1 through proxy connections is checked

• Cisco Transparent firewall and cisco switch issues.

  Dears,
  I have a very plain scenario
   LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
  i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
  The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
  Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

  Well,
  i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
  moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
  i have requested the client to verify his part. do let me know further tips if you have any.
  [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

• I am behind a Cisco PIX Firewall. What addresses and ports do I need to permit through to allow Firefox updates?

  I want to be able to upgrade my Firefox installations that are located behind a Cisco PIX Firewall. What are the TCP/IP addresses and ports required to be opened for updating to occur?

  This is less likely to be a firefox problem, as it appears something bad has happened to your network. Can you access the internet with other programs? Try email/ IRC/ Skype or even updating your computer.
  What operating system are you using?
  Ian.

• Cisco VPN client & Microsoft ISA firewall client.

  Hi all,
  could someone give me advice how to set
  up Cisco VPN client to route traffic
  to our proxy ISA 2004. We have installed
  Microsoft firewall client on PCs but we dont know how to set up routing of IPSEC
  to Proxy.
  I know that this is maybe problem of Microsoft but maybe it is possible to do this directly in Cisco VPN client.
  Any suggestions?
  BR
  jl

  Be sure that the Department or organizational unit (OU) corresponds to the Cisco VPN Client group name, as configured in the PIX vpngroup name. Select the correct Certificate Service Provider (CSP) appropriate for your setup
  http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

• Access to WAN Port 2 on an CISCO ISA 550 Firewall

  Hi all
  On a CISO ISA 550 Firewall i created a 2 WAN Port Failover whichs works fine. But how can access the WAN2 Port (see Attaments) from my Workstation even the WAN1 Port is up an runnig, i created also a new Zone and Firewall Rule but this dosen't work..
  Thanks for your help

  Upgrade Firmware...

• Why does my Cisco router firewall block Windows Server 2012 traffic, but not Windows Server 2008 traffic?

  Hello,
     I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds). 
  The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs.  I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
     All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem.  I have no VLANs setup.  I do have the Firewall on the router configured
  to inspect most traffic.
     Here is my problem:  I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers.  Here is what I already know:
     1.) I can ping the outside world just fine so ICMP is passing to any external host.
     2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
     3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works.  I can also go to a couple other Microsoft websites (though they are very slow).  If I click on any link in Bing, however, it doesn't
  work and gives me a page not available error.  If I connect to a non-MS website like Google or my company website, I get page not available.
      4.) I have tried to telnet to port 80 at Bing and it works.  I have tried to telnet to port 80 at google.com and it won't connect.  The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
  PCs on the network do either.
      5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
  just to see if it could connect after a fresh install and it still cannot.)
      6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
       7.) If I connect the server directly to the modem it has full internet access.
       8.) All internal LAN connectivity is perfectly fine and runs at full speed.
       9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
  worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
  My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with?  I ask because, unlike in these two articles where they were
  running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it.  I have to assume the issue is somehow related to the firewall configuration,
  which I could fix easily, but I don't know what to change.  If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along.  Thanks.

  This is the IP Config for the 2012 DC:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : COMPANYDC02
     Primary Dns Suffix  . . . . . . . : company.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCPv6 IAID . . . . . . . . . . . : 301999504
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
     DNS Servers . . . . . . . . . . . : 10.10.10.202
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  This is the IP Config for the fresh install 2012 VM:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WIN-800299O7ES6
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
     Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCP Server . . . . . . . . . . . : 10.10.10.1
     DNS Servers . . . . . . . . . . . : 10.10.10.220
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.company.local:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network.  One of them is 2012 and one of them is 2008.  They are both functioning correctly for providing DNS services.  The 2012 Virtual DC, however, still has
  the internet connectivity issue that this whole post was about in the first place.
  NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded.   Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
  at 10pm.  Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully...

• Windows 7 isa firewall client problem

  Hi,
  I have a problem with isa 2006 firewall client on windows 7 joined to domain , I can browse websites with webproxy but I cannot connect to any pop3 and smtp mailservers when using pop3 dns name on outlook, so if I add the full name of mail.something.com,
  it does not work with (name cannot be resolved), it works when adding ip address, also if I try to access ftp servers on internet it does not work.
  This only happens with windows 7 computers windows xp works correctly with firewall client.
  If secure nat client is used on windows 7 they work (but I need to authenticate users by name).
  I have searched many forums but cannot find a solution.
  I have rule in isa server that allows http,https,ftp,ping,smtp,pop, even the rule that applies to me which have all outbound ports open had the same problem.
  Thanks in advance.

  Hello everyone,
  I'm having the exact same issue at my workplace. i have a 2008R2 server running TMG 2010 and i have a pool of mixed client PCs (windows 7 and XP).
  I use forefront firewall client for authentication and access.
  I'm having the same trouble with name resolution in Outlook and another application but everything else works fine.
  There is no issue when using SecureNat (setting up gateway) though, everything is resolved and works well ... it's so strange and it's driving me crazy. 
  It would be much appreciated to have a more reasonable solution other than shortcuts like setting a fake gateway.
  Thank you in advance. 
  Best Regards,
  N

• Problem Packet Flow through Cisco ASA Firewall

  I have a Cisco ASA 5540 8.2(1), with permit ip any any rules
  packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003
  show
  Phase: 1
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found flow with id 1374599592, using existing flow
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  if you change the source or destination port, the packet is successfully
  clear conn did not help
  please tell me how to solve the problem?

  Hi,
  I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.
  It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.
  I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.
  - Jouni