Firewall Upgarde
This is all about an AIRPORT.
They've been using as a firewall " POWER-1 5075 " and now they want to upgrade it to Cisco Firewall.
Can anyone please tell me what Cisco firewall best suits the specifications of this " power-1 5075 " firewall.
Here are some of the specificaiton that power-1 5075 has, and Cisco has to have same specs or better.
10/100/1000 Ports 10/14
10Gb ports 2 optional
Firewall Throughput 9 Gbps
VPN Throughput 2.4 Gbps
Concurrent Sessions 1.2 Million
IPS Throughput 7.5 Gbps
VLANs 1024
UTM out of the box Optional
Storage 160 GB
Enclosure 2U
Here's a comparison of ASA models:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
John
Similar Messages
-
I'm using a Canon MX860 printer and running OS X Snow Leopard 10.6.7, and there seems to be a problem printing to my MX860 printer when I have the firewall feature on my computer enabled. This has not been the case before; it just started happening a few days ago. Up until now, I've been able to print to my printer whether or not the firewall was enabled. Is there a workaround for this problem, other than just turning off the firewall?
I started having problem with the MX860 printer after I upgarded to Lion. Lion does not even recognize its existence, whether connected directly to MBA (USB) or to the 1TB Time Capsule via Ethernet.
-
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik -
Firewall reverse routing issue:
Dear Friends,
I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.
my configuration is :
ASA Version 7.2(4)
hostname CiscoFirewall03316
domain-name default.domain.invalid
enable password Ko5SCsPM2YQ1wt2G encrypted
passwd Ko5SCsPM2YQ1wt2G encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.192.32.11 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 112.23.24.25 255.255.255.248
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
<--- More --->
interface Vlan50
no nameif
security-level 80
ip address 10.195.32.15 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 10
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 50
interface Ethernet0/6
interface Ethernet0/7
<--- More --->
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 121.242.190.181
name-server 121.242.190.210
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list in_out extended permit ip any any
access-list out_in extended permit ip any any
access-list out_in extended permit ip any 112.23.24.25 255.255.255.248
access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0
access-list cisco_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
<--- More --->
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group in_out in interface inside
access-group out_in in interface outside
route inside 192.168.0.0 255.255.240.0 192.168.0.2 1
route outside 0.0.0.0 0.0.0.0 112.23.24.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.192.32.0 255.255.255.0 inside
http 112.23.24.0 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
<--- More --->
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
<--- More --->
telnet 10.192.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet 112.23.24.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server none
vpn-tunnel-protocol l2tp-ipsec
group-policy cisco internal
group-policy cisco attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl_1
username test password tFqxsrS5ErBk4STW encrypted privilege 0
username test attributes
vpn-group-policy cisco
username admin password V5OS2TRb/vQZ7oZ9 encrypted
username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0
username ciscouser attributes
vpn-group-policy DefaultRAGroup
<--- More --->
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup general-attributes
address-pool ciscouser
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
<--- More --->
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect im Google
parameters
match protocol msn-im yahoo-im
drop-connection log
service-policy global_policy global
prompt hostname context
Cryptochecksum:a883391680fa205ee31f05881761958c
: end
Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2
Please advise me.ThanksThere are 2 conflicting configuration:
interface Vlan10
no nameif
security-level 90
ip address 192.168.0.3 255.255.240.0
and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"
How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside
if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:
route inside 192.168.0.0 255.255.240.0 10.192.32.x
--> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip
and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address. -
Why cant i ping any host/servers behing my Firewall Cisco 5505
Can anyone please help me to figure out what in my configuration of the Cisco asa 5505 is wrong or missing. I have multiple host behind my firewall these hosts run different websites on port 80. I am able to ping the server from one to another but I am not able to ping the servers from the internet. I am using static NAT. Is there a translation issue going on here. Please help me!
========
CISCOASACLOUD# show run
CISCOASACLOUD# show running-config
: Saved
ASA Version 9.0(1)
hostname CISCOASACLOUD
enable password ************* encrypted
passwd ************* encrypted
names
ip local pool VPN_IP_POOL 10.0.2.50-10.0.2.75 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 82.94.XX.XX 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 194.109.104.104
name-server 194.109.9.99
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN_NETWORK
subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_24
subnet 10.0.2.0 255.255.255.0
object network NETWORK_OBJ_10.0.2.0_25
subnet 10.0.2.0 255.255.255.128
object network SERVER2003_HTTP
host 10.0.2.104
object network SERVER2003_HTTPS
host 10.0.2.104
object network SERVER2004_HTTP
host 10.0.2.105
object network SERVER2004_HTTPS
host 10.0.2.105
object network SERVER2002_HTTP
host 10.0.2.103
object network SERVER2002_HTTPS
host 10.0.2.103
object network SERVER2002_NAGIOS
host 10.0.2.103
object network SERVER2003_NAGIOS
host 10.0.2.104
object network SERVER2002_NAGIOS_NSCP
host 10.0.2.103
object network SERVER2003_NAGIOS_NSCP
host 10.0.2.104
object network SERVER2004_NAGIOS
host 10.0.2.105
object network SERVER3001_NAGIOS
host 10.0.2.202
object network SERVER2001_NAGIOS
host 10.0.2.102
object network SERVER3001_HTTP
host 10.0.2.202
object network SERVER3001_HTTPS
host 10.0.2.202
object network SERVER2004_FTP
host 10.0.2.105
object network SERVER2004_FTP_TCP
host 10.0.2.105
object network SERVER2004_FTP_SSL
host 10.0.2.105
object network SERVER2005_HTTP
host 10.0.2.106
object network SERVER2005_HTTPS
host 10.0.2.106
object network SERVER3001_ICMP
host 10.0.2.201
access-list Default_Tunnel_Group_Name_VPN_splitTunnelAcl standard permit 10.0.2.0 255.255.255.0
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.102 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.103 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.104 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq 12489
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.202 eq https
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq ftp-data
access-list OutsideToInside extended permit tcp any host 10.0.2.105 eq 990
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq www
access-list OutsideToInside extended permit tcp any host 10.0.2.106 eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.2.0_24 NETWORK_OBJ_10.0.2.0_24 destination static NETWORK_OBJ_10.0.2.0_25 NETWORK_OBJ_10.0.2.0_25 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER2003_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2003_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2004_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2002_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2002_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2003_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2004_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER2001_NAGIOS
nat (inside,outside) static 82.94.XXX.XXX service tcp 12489 12489
object network SERVER3001_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER3001_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
object network SERVER2004_FTP
nat (inside,outside) static 82.94.XXX.XXX service tcp ftp ftp
object network SERVER2004_FTP_TCP
nat (inside,outside) static 82.94.XXX.XXX service tcp ftp-data ftp-data
object network SERVER2004_FTP_SSL
nat (inside,outside) static 82.94.XXX.XXX service tcp 990 990
object network SERVER2005_HTTP
nat (inside,outside) static 82.94.XXX.XXX service tcp www www
object network SERVER2005_HTTPS
nat (inside,outside) static 82.94.XXX.XXX service tcp https https
access-group inside_access_in in interface inside
access-group OutsideToInside in interface outside
route outside 0.0.0.0 0.0.0.0 82.94.XXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http XXX.XXX.XXX.XXX 255.255.255.255 outside
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.2.0 255.255.255.0 inside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh XXX.XXX.XXX.XXX 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 213.132.202.192 source outside
ntp server 72.251.252.11 source outside
ntp server 131.211.8.244 source outside
group-policy Default_Tunnel_Group_Name_VPN internal
group-policy Default_Tunnel_Group_Name_VPN attributes
dns-server value 194.109.104.104 194.109.9.99
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
Default_Tunnel_Group_Name_VPN_splitTunnelAcl
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 15
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
username ******* password ************* encrypted privilege 0
username ******* attributes
vpn-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN type remote-access
tunnel-group Default_Tunnel_Group_Name_VPN general-attributes
address-pool VPN_IP_POOL
default-group-policy Default_Tunnel_Group_Name_VPN
tunnel-group Default_Tunnel_Group_Name_VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp error
inspect ftp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:655f9d00d6ed1c593506cbf9a876cd49
: end
CISCOASACLOUD#Hi Ron,
I have found the solution!
Indeed I had to extend my access-list on my outside interface!!!
I have succeeded using ASDM.
First I created a NEW network object for each of my servers. When you create a new object you will be asked for the internal IP address and "this is where the magic happens" you have to set the NAT IP address (the external address) !!!
Secondly I extended my access-list on my outside interface by defining every server and the required service (echo, echo-reply) in the "Public server list". When I performed these 2 steps I was able to ping the server from the internet.
My access-list looks the following now:
access-list OutsideToInside extended permit icmp any4 object SERVER2003 object-group DM_INLINE_ICMP_2
access-list OutsideToInside extended permit icmp any4 object SERVER2002 object-group DM_INLINE_ICMP_1
access-list OutsideToInside extended permit icmp any4 object SERVER2004 object-group DM_INLINE_ICMP_0
object network SERVER2004
nat (inside,outside) static 82.94.xxx.xxx
object network SERVER2002
nat (inside,outside) static 82.94.xxx.xxx
object network SERVER2003
nat (inside,outside) static 82.94.xxx.xxx -
I can't access my itunes store, it says I don't have an internet connection but I do. I tried updating to the newest version of itunes, turned off my firewall, checked to make sure itunes was allowed in my internet options. what else can i do?
Hello bigblue8
Check out the following articles for troubleshooting access to the iTunes Store. The first one will probably get you started enough to get it taken care of. If it does not the follow up article should definitely solve it for you.
Can't connect to the iTunes Store
http://support.apple.com/kb/ts1368
iTunes: Advanced iTunes Store troubleshooting
http://support.apple.com/kb/ts3297
Thanks for using Apple Support Communities.
Regards,
-Norm G. -
How do I change my firewall settings to allow Spotify?
I get a message pop up that says.... A firewall may be blocking Spotify. Please update your firewall to allow Spotify (error 101)
Please help I am so terrible with anything other then the basics.
I found my firewall settings but I could only figure out how to turn them on and off. This did not help.
I need it explained to me in the most simpilist of ways.
Thank youPlease read this whole message before doing anything.
I've tested these instructions only with the Safari web browser. If you use another browser, they may not work as described.
This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.
These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.
Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.
Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands.
Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.
Step 1
Triple-click the line of text below on this page to select it:
kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -ef
Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). A TextEdit window will open with the output of the command. If the command produced no output, the window will be empty. Post the contents of the TextEdit window (not the Terminal window), if any — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.
Step 2
Repeat with this line:
{ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; echo; sudo defaults read com.apple.loginwindow LoginHook; echo; sudo crontab -l; } 2> /dev/null | open -ef
This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.
Step 3
{ launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)/{print $3}'; echo; crontab -l 2> /dev/null; } | open -ef
Step 4
ls -A /e*/{cr,la,mach}* {,/}Lib*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts .la* 2> /dev/null | open -ef
Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.
Step 5
osascript -e 'tell application "System Events" to get name of login items' | open -ef
Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output.
You can then quit Terminal. -
Can we do a Secure FTP for an XML file from ABAP when firewall is enabled?
Hi all,
I have a requirement to send an XML file to an External FTP Server which is out of our corporate network and our firewall is enabled.
I have to send an XML file with Purchase Order details. I completed that with the help of this blog https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/2657. [original link is broken] [original link is broken] [original link is broken]
Now I need to FTP the XML file that is generated. How should I be doing this? Can some of help me with this?
I need to do a Secure FTP to the external non SAP server which is out of our corporate network and our firewall is enabled. Can some one tell me if SFTP is possible in ABAP.
This is not a web service. I am working on dropping an XML file in an external FTP serveru2026 I have searched the forums but still in a confusion if weather Secure FTP is possible in ABAP or not when our company firewall is enabledu2026
If some one encountered this situation earlier please help,,,..any help will be highly appreciated.
Regards,
Jessica SamThanks a lot for your valuable suggestions Richu2026
I agree with you Rich that web services would be a better option. But I need to send this file to an external third party and they dont have web services.
They are telling us that either we can send them an XML file or a CSV file in the format that they want. We decided to go with XML file format.
I am done with formatting the Purchase Order details in the format that they want. Now the challenge is that I need to send this FTP file to them and it should be a Secure FTP when our fire wall is enabled,
When you say
1) Run an ABAP program to generate the XML file and put it on the local PC
2) Log into the FTP site via some FTP client, could simply be windows as well.
3) Manually cut/paste the file from the PC to the FTP site.
For Step 1 running ABAP Program can I schedule a batch job?
For Step 2 and Step 3 can I automate it in any other way..if not in ABAP?
Can I advice my company to follow any alternate method in which they can automate this step 2 and step 3u2026if not in ABAP can it be possible in any other way as the third party does not have web services I now have no other alternative.
Please Helpu2026
Regards,
Jessica Sam -
Hi Experts,
Need a solution regarding broadcast.
There were lot of packet loss when i tired to ping inside interface of firewall.And my entire network was down.
When i checked in asdm there was DOS attack from particular ip on of internal server .
Today also i faced a similar problem, And i was not able to even log on to asdm.
Is there any ways to check log on firewall other than syslog serverHi
Just my 2 cents on the subject.
First of all are you onsite or are you somewhere else ?
It sounds like you are onsite and that the inside server is sending more packets through the link than what the firewall or the link somewhere to the firewall can handle. Ie Link saturation.
If that is the case then set a monitor port on the switch where the firewall connects and setting up a sniffer software such as wireshark will tell you the offending address immediately. It is the one sending most of the packets.
The second thing you can do is to go to the firewall and connect a cable and run CLI commands instead of using the ASDM.
Third
Do you have any unused ports in the firewall setting up a log server on one of those would be a prudent thing.
Forth
It could be a faulty cable, that would give the same problem symptoms, but if the ASDM tells you that there is an attack, then most likely it is not a faulty cable.
Good luck
HTH -
Unable to access public ip from branch vpn (Cisco ASA 5510 Firewall)
Hi,
As per the above diagram
in Head office - able to access public ips
In Branch office - unable to access public ips only accessing head office servers and internet is shared from head office.
please see the below configuration in Branch office router:
access-list 1 permit any
access-list 100 remark ****** Link to Firewall-HO1 ******
access-list 100 permit ip 10.21.211.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip 10.21.111.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip any any
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 permit ip host 10.21.211.51 any
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq smtp
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq smtp
access-list 102 permit ip 10.21.211.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
Thanks for your valuable time and cosiderationsany1 can help me ?
-
Unable to browse internet on a domain user's computer through ASA 5503 Firewall
Dear All,
I am trying to configure my new firewall for the last one month but still unable to fix it. I have a domain in windows 2012 standard edition and the firewall with unlimited license. Here is the output of show startup-config. Please note that prpgb.org is my local domain.
prpgbasa# show startup-config
: Saved
: Written by enable_15 at 02:50:45.169 PKT Thu Nov 20 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns server-group DefaultDNS
domain-name prpgb.org
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YZ 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 255.0.0.0
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23c0af4b2ddf9e925f83ce13909ab900
prpgbasa#
You all are requested to have a look into the problem and suggest me the modifications.
ThanksDear All,
I have solved the issue. I have done the following in-order to browse internet on domain user computers. Here are the steps
1. I have disabled my internal DHCP server in the domain.
2. Then I have configured the ASA DHCP server in the default IP address scheme i.e. 192.168.1.100-200
3. I have Connected my ASA to a switch first then from there I connected a cable to my Domain's Server WAN interface. The LAN (192.168.1.2)interface of the Domain server is also plugged into the same switch.
4. I am using my Domain Server's DNS for name resolution and forward queries which are not served by my domain to open dns server.
It works perfectly so far but before applying or setting up the entire netowrk i want your help to look into the configuration file for corrections if i am making any mistakes. Thanks again for your help and here is the output of show confing.
prpgbasa# show startup
: Saved
: Written by Ghaffar at 02:11:24.319 PKT Mon Dec 8 2014
ASA Version 8.2(5)
hostname prpgbasa
domain-name prpgb.org
enable password AExqpLntfuzsVQrq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname PRPGB.ORG
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 202.142.XXX.YY 255.255.255.252
ftp mode passive
clock timezone PKT 5
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.1.2
domain-name prpgb.org
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 202.142.XXX.YY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd lease 86400 interface inside
dhcpd domain prpgb.org interface inside
dhcpd update dns both interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ABC password FL01QCj0LaLWTID0 encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7c4930a079158c0cb10a42813d3690cd
prpgbasa#
Please suggest me if there are any recomendations.
Thanks in advance.
Ghaffar -
Multiple gateways for different Traffic on ASA 5510 firewall
Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@Cyes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate! -
Unable to configure Outlook with ASA firewall and IWSVA
Dear Sir,
We are unable to configure MS outlook in our network which is having IWSVA proxy and cisco ASA 5510 firewall.
snapshot of outlook error details are attached for your reference.
In our network L3 is behind IWSVA which is behind cisco ASA 5510.
when we change following NAt rule and ACL incoming rule it works fine
nat (inside,outside) source static any interface unidirectional
nat (inside,outside) source static obj_Proxy interface unidirectional
access-list 100 extended permit ip any any
access-list inside_access_in extended permit ip object-group Proxy_Server any
all required ports are allowed in IWSVA also please tell me if we have to make any changes in IWSVA like mapping ports etc.
Thanks in advance
Regards:
Anand Singh DhouniHello Anand,
I already replied to you on the other post, Please mark this as answered so we can focus on one ticket and avoid duplicates.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura -
Hi All
After some advise and direction
Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
called http://partners.highnet.com/login/ ip address 62.233.82.181.
Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
to any website and brings back the details
However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
on checking the ASA under Home TAB - Firewall Dashboard - and then under - Top 10 protected Servers under SYN attack we are receiving the below error.
Rank Server IP-Port Interface Average Current Total Source IP (Last Attack Time)
5
62.233.82.181:80
INSIDE
0
0
8
192.168.254.130 (1 mins ago)
I have tried rebooting the ASA firewall (Still did not resolve).
I have also disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection (Still did not resolve).
Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
If you can help or advise it is much appreciated.Hi,
Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
You could maybe also try to generate TCP SYNs directly from the ASA
ping tcp 62.233.82.181 80
And see if the server replies
- Jouni -
i have a sony vx2000 and a macbook pro and i obtained the 9 to 4 inch firewall cable. my issue is that cant get any footage from my vx2000 to my imovies. i have looked up how to do it online and they make seem like you just plug it in and go its all golden. but not for me what am i doing wrong it does seem to be recoginize that my camera is even plugged in and no way letting import of capture any of my footage to my imovies. please help
The camera must be plugged in to AC power (not batteries only). And generally, the camera should be set to Play mode, not recording mode.
Maybe you are looking for
-
7.1, 6.1, 5.1, 2.1 whats the differan
OK i have a 400 watt sony stereo and it has a left and a right input. I have it plugged in the back of my sb audigy 2 zs sound card on the third jack. My stereo has 2 side speakers and a subwoofer. Now what happens when i go into the creative audio c
-
My albums and slideshows disappeared from the left column when I ejected a Canon camera after a download. My version of iPhoto '08 (V7.1.5(378)) had just crashed when I first connected the Canon camera to download. I restarted iPhoto.....successful
-
FileNotFoundException for SerializedSystemIni.dat & fileRealm.properties
I'm running Weblogic 8.1 SP4 on WIndows 2000 and I keep getting the following errors periodically appearing in my console window. The two files exist in the current directory (the 'mydomain' folder), which is the same place that I run startweblogic.c
-
How to update person or group column with peopleeditor control values
Hi, I have created custom aspx page and added "PeopleEditor" control(can select multiple users) in that page. Now I am trying to update person or group column with peopleeditor control values.I am not getting any error if I select single user in Peo
-
Can't Transfer Video(3gp), Mp3....
I'm Using Windows Vista the new version of Windows. However the PC Suite Software got problem on trying to transfer the file. It Either the PC Suite Software problem or this windows vista version not support for PC Suite Software. Right now i using l