Natting in cisco firewall ASA
Hi,
Currently I was facing a problem on how do i do a internal natting for my network.
how do I nat my vlan 116 to vlan 200 in my firewall asa?
Source Natted Destination
192.168.116.0/24 -> 192.168.200.0/24 -> 192.168.102.0/24
attached was my diagram and appreciate if someone can give me some guideline.
Hello,
The link below will help you for any NAT scenario you want.
https://supportforums.cisco.com/docs/DOC-9129
Similar Messages
-
Cisco Firewall ASA 5510 series configuration
Hellow folks i am persuing final year project .. then., i am having cisco firewall ASA5510 series and un-managable switches 2 and related system as 20..what kind of configuration can i build up for the security protection to the following systems which i have..please...
guide me and help us in our platform...
This topic first appeared in the Spiceworks CommunityHi satish,
1. First thing make sure that the encryption domains are correct. like -like on both ends
2. Also make sure that the transform set and all matcing as well. please double check the crypto map on both ends as well
2. If you just added the new subnet to the ACL , looks like the crypto map is not recognising it. Maybe just rebuild the crypto map or something
HTH
Kishore -
Cisco 5520 ASA Port Forward to Endian Firewall VPN Question
Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
JoeWrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.
-
Webserver on DMZ cannot send email via php script using SMTP (cisco firewall pix 515e)
Hello,
I have two web servers that are sitting in a DMZ behind a Cisco Firewall PIX 515e. The webservers appear to be configured correctly as our website and FTP website are up. On two of our main website, we have two contact forms that use a simple html for to call a php script that uses smtp as its mailing protocol. Since, I am not the network administrator, I don't quite understand how to read the current configurations on the firewall, but I suspect that port 25 is blocked, which prevents the script from actually working or sending out emails. What I've done to narrow the problem done is the following: I used a wamp server to test our scripts with our smtp servers settings, was able to successfully send an email out to both my gmail and work place accounts. Currently, we have backupexec loaded on both of these servers, and when I try to send out an alert I never receive it. I think because port 25 is closed on both of those servers. I will be posting our configuration. if anyone can take a look and perhaps explain to me how I can change our webservers to communicate and successfully deliver mail via that script, I would gladly appreciate it. our IP range is 172.x.x.x, but it looks like our webservers are using 192.x.x.x with NAT in place. Please someone help.
Thanks,
Jeff Mateo
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password GFO9OSBnaXE.n8af encrypted
passwd GFO9OSBnaXE.n8af encrypted
hostname morrow-pix-ct
domain-name morrowco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 12.42.47.27 LI-PIX
name 172.20.0.0 CT-NET
name 172.23.0.0 LI-NET
name 172.22.0.0 TX-NET
name 172.25.0.0 NY-NET
name 192.168.10.0 CT-DMZ-NET
name 1.1.1.1 DHEC_339849.ATI__LEC_HCS722567SN
name 1.1.1.2 DHEC_339946.ATI__LEC_HCS722632SN
name 199.191.128.105 web-dns-1
name 12.127.16.69 web-dns-2
name 12.3.125.178 NY-PIX
name 64.208.123.130 TX-PIX
name 24.38.31.80 CT-PIX
object-group network morrow-net
network-object 12.42.47.24 255.255.255.248
network-object NY-PIX 255.255.255.255
network-object 64.208.123.128 255.255.255.224
network-object 24.38.31.64 255.255.255.224
network-object 24.38.35.192 255.255.255.248
object-group service morrow-mgmt tcp
port-object eq 3389
port-object eq telnet
port-object eq ssh
object-group network web-dns
network-object web-dns-1 255.255.255.255
network-object web-dns-2 255.255.255.255
access-list out1 permit icmp any any echo-reply
access-list out1 permit icmp object-group morrow-net any
access-list out1 permit tcp any host 12.193.192.132 eq ssh
access-list out1 permit tcp any host CT-PIX eq ssh
access-list out1 permit tcp any host 24.38.31.72 eq smtp
access-list out1 permit tcp any host 24.38.31.72 eq https
access-list out1 permit tcp any host 24.38.31.72 eq www
access-list out1 permit tcp any host 24.38.31.70 eq www
access-list out1 permit tcp any host 24.38.31.93 eq www
access-list out1 permit tcp any host 24.38.31.93 eq https
access-list out1 permit tcp any host 24.38.31.93 eq smtp
access-list out1 permit tcp any host 24.38.31.93 eq ftp
access-list out1 permit tcp any host 24.38.31.93 eq domain
access-list out1 permit tcp any host 24.38.31.94 eq www
access-list out1 permit tcp any host 24.38.31.94 eq https
access-list out1 permit tcp any host 24.38.31.71 eq www
access-list out1 permit tcp any host 24.38.31.71 eq 8080
access-list out1 permit tcp any host 24.38.31.71 eq 8081
access-list out1 permit tcp any host 24.38.31.71 eq 8090
access-list out1 permit tcp any host 24.38.31.69 eq ssh
access-list out1 permit tcp any host 24.38.31.94 eq ftp
access-list out1 permit tcp any host 24.38.31.92 eq 8080
access-list out1 permit tcp any host 24.38.31.92 eq www
access-list out1 permit tcp any host 24.38.31.92 eq 8081
access-list out1 permit tcp any host 24.38.31.92 eq 8090
access-list out1 permit tcp any host 24.38.31.93 eq 3389
access-list out1 permit tcp any host 24.38.31.92 eq https
access-list out1 permit tcp any host 24.38.31.70 eq https
access-list out1 permit tcp any host 24.38.31.74 eq www
access-list out1 permit tcp any host 24.38.31.74 eq https
access-list out1 permit tcp any host 24.38.31.74 eq smtp
access-list out1 permit tcp any host 24.38.31.75 eq https
access-list out1 permit tcp any host 24.38.31.75 eq www
access-list out1 permit tcp any host 24.38.31.75 eq smtp
access-list out1 permit tcp any host 24.38.31.70 eq smtp
access-list out1 permit tcp any host 24.38.31.94 eq smtp
access-list dmz1 permit icmp any any echo-reply
access-list dmz1 deny ip any 10.0.0.0 255.0.0.0
access-list dmz1 deny ip any 172.16.0.0 255.240.0.0
access-list dmz1 deny ip any 192.168.0.0 255.255.0.0
access-list dmz1 permit ip any any
access-list dmz1 deny ip any any
access-list nat0 permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255.0
access-list nat0 permit ip host 172.20.8.2 host 172.23.0.2
access-list nat0 permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list nat0 permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-split-tun permit ip CT-NET 255.255.0.0 192.168.220.0 255.255.255
.0
access-list vpn-split-tun permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.2
55.255.0
access-list vpn-dyn-match permit ip any 192.168.220.0 255.255.255.0
access-list vpn-ct-li-gre permit gre host 172.20.8.2 host 172.23.0.2
access-list vpn-ct-ny permit ip CT-NET 255.255.0.0 NY-NET 255.255.0.0
access-list vpn-ct-ny permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-NET 255.255.0.0 TX-NET 255.255.0.0
access-list vpn-ct-tx permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-2 permit ip host 192.168.10.141 CT-NET 255.255.248.
0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 192.168.220.0 255.255.25
5.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 NY-NET 255.255.0.0
access-list nat0-dmz permit ip CT-DMZ-NET 255.255.255.0 TX-NET 255.255.0.0
access-list static-dmz-to-ct-1 permit ip host 192.168.10.140 CT-NET 255.255.248.
0
access-list static-dmz-to-li-1 permit ip CT-DMZ-NET 255.255.255.0 CT-NET 255.255
.248.0
access-list vpn-ct-li permit ip CT-NET 255.255.0.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip CT-DMZ-NET 255.255.255.0 LI-NET 255.255.0.0
access-list vpn-ct-li permit ip host 10.10.2.2 host 10.10.1.1
access-list in1 permit tcp host 172.20.1.21 any eq smtp
access-list in1 permit tcp host 172.20.1.20 any eq smtp
access-list in1 deny tcp any any eq smtp
access-list in1 permit ip any any
access-list in1 permit tcp any any eq smtp
access-list cap4 permit ip host 172.20.1.82 host 192.168.220.201
access-list cap2 permit ip host 172.20.1.82 192.168.220.0 255.255.255.0
access-list in2 deny ip host 172.20.1.82 any
access-list in2 deny ip host 172.20.1.83 any
access-list in2 permit ip any any
pager lines 43
logging on
logging timestamp
logging buffered notifications
logging trap notifications
logging device-id hostname
logging host inside 172.20.1.22
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside CT-PIX 255.255.255.224
ip address inside 172.20.8.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ctpool 192.168.220.100-192.168.220.200
ip local pool ct-thomson-pool-201 192.168.220.201 mask 255.255.255.255
pdm history enable
arp timeout 14400
global (outside) 1 24.38.31.81
nat (inside) 0 access-list nat0
nat (inside) 1 CT-NET 255.255.0.0 2000 10
nat (DMZ) 0 access-list nat0-dmz
static (inside,DMZ) CT-NET CT-NET netmask 255.255.0.0 0 0
static (inside,outside) 24.38.31.69 172.20.8.2 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.94 192.168.10.141 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.71 172.20.1.11 dns netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.93 192.168.10.140 netmask 255.255.255.255 0 0
static (DMZ,inside) 24.38.31.93 access-list static-dmz-to-ct-1 0 0
static (DMZ,inside) 24.38.31.94 access-list static-dmz-to-ct-2 0 0
static (inside,outside) 24.38.31.92 172.20.1.56 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.91 192.168.10.138 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.90 192.168.10.139 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.72 172.20.1.20 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.73 172.20.1.21 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.70 172.20.1.91 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.88 192.168.10.136 netmask 255.255.255.255 0 0
static (DMZ,outside) 24.38.31.89 192.168.10.137 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.74 172.20.1.18 netmask 255.255.255.255 0 0
static (inside,outside) 24.38.31.75 172.20.1.92 netmask 255.255.255.255 0 0
access-group out1 in interface outside
access-group dmz1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 24.38.31.65 1
route inside 10.10.2.2 255.255.255.255 172.20.8.2 1
route inside CT-NET 255.255.248.0 172.20.8.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server ct-rad protocol radius
aaa-server ct-rad max-failed-attempts 2
aaa-server ct-rad deadtime 10
aaa-server ct-rad (inside) host 172.20.1.22 morrow123 timeout 7
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 173.220.252.56 255.255.255.248 outside
http 65.51.181.80 255.255.255.248 outside
http 208.65.108.176 255.255.255.240 outside
http CT-NET 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community m0rroW(0
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dyn_map 20 match address vpn-dyn-match
crypto dynamic-map dyn_map 20 set transform-set 3des-sha
crypto map ct-crypto 10 ipsec-isakmp
crypto map ct-crypto 10 match address vpn-ct-li-gre
crypto map ct-crypto 10 set peer LI-PIX
crypto map ct-crypto 10 set transform-set 3des-sha
crypto map ct-crypto 15 ipsec-isakmp
crypto map ct-crypto 15 match address vpn-ct-li
crypto map ct-crypto 15 set peer LI-PIX
crypto map ct-crypto 15 set transform-set 3des-sha
crypto map ct-crypto 20 ipsec-isakmp
crypto map ct-crypto 20 match address vpn-ct-ny
crypto map ct-crypto 20 set peer NY-PIX
crypto map ct-crypto 20 set transform-set 3des-sha
crypto map ct-crypto 30 ipsec-isakmp
crypto map ct-crypto 30 match address vpn-ct-tx
crypto map ct-crypto 30 set peer TX-PIX
crypto map ct-crypto 30 set transform-set 3des-sha
crypto map ct-crypto 65535 ipsec-isakmp dynamic dyn_map
crypto map ct-crypto client authentication ct-rad
crypto map ct-crypto interface outside
isakmp enable outside
isakmp key ******** address LI-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address 216.138.83.138 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address NY-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp key ******** address TX-PIX netmask 255.255.255.255 no-xauth no-config-mo
de
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup remotectusers address-pool ctpool
vpngroup remotectusers dns-server 172.20.1.5
vpngroup remotectusers wins-server 172.20.1.5
vpngroup remotectusers default-domain morrowny.comAmit,
I applaud your creativity in seeking to solve your problem, however, this sounds like a real mess in the making. There are two things I don't like about your approach. One, cron -> calling Java -> calling PHP -> accessing database, it's just too many layers, in my opinion, where things can go wrong. Two it seems to me that you are exposing data one your website (with the PHP) that you may not want expose and this is an important consideration when you are dealing with emails and privacy and so on.
I think the path of least resistance would be to get a new user account added to the MySQL database that you can access remotely with your Java program. This account can be locked down for read only access and be locked down to the specific IP or IP range that your Java program will be connecting from.
Again I applaud your creativity but truly this seems like a hack because of the complexity and security concerns you are introducing and I think is a path to the land of trouble. Hopefully you will be able to get a remote account set up. -
Port Forwarding Cisco firewall
Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end -
Hi All
I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.
We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.
The firewall is running in routed context mode already with just 1 context in place (besides admin).
The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.
There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182
The problem is that we would now like to create another context on the firewall (context 2).
I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.
If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?
Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.
Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?
Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.
thanksIf you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. Reference.
It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk. -
Good Morning
We are facing this issue regarding network infrastructure of some customers we take care.
In those infrasctructure, only the network layer 3 is allowed to consult an NTP Master Server (as stratum 0 for example). Although this layer 3 device acts as a NTP client related to that server, for other devices in this infrastructure, the layer 3 becomes the master NTP (stratum > 0).
For some infrastructures a firewall ASA performs the layer 3 role and must to be this way. Other devices depends on the firewall to synchronize the clock.
The question is: how can we configure the ASA as a NTP server or is it not possible?I don't think there is any firmware support for using an ASA as an NTP time source, sorry.
How deeply do you care about the stratum? I run most of my clients at stratum 4, with only my outside DNS/NTP servers at stratum 3, consulting some upstream but nearby (inside the AS) stratum 2 servers. This works fine; I'm not shooting for nanosecond precision. There ought to be some NTP servers you can tap into closer than stratum 0 or 1. Or you could buy a GPS based gizmo to act a a local time source.
-- Jim Leinweber, WI State Lab of Hygiene -
Connecting a cisco firewall through putty using powershell
Hi,
I have to write a powershell script to connect to a cisco firewall and execute network commands.
my code is written as mentioned below-
function plink
[CmdletBinding()]
PARAM
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $remoteHost,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $login,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $passwd,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $command)
& D:\PLINK.EXE -ssh $remoteHost -l $login -pw $passwd $command
return
$remoteHost = "*****"
$login = "****"
$passwd = "******"
$command= "enable"
plink -remoteHost $remoteHost -login $login -passwd $passwd -command $command
from above script im able to login to a firewall but I am not able to enable the firewall.
Can anyone help me and provide me ways to enter the command "enable" and its password to enable firewall using powershell.Hi Plas,
Please try the script below, which add the cmdlet "Invoke-Expression":
function plink
[CmdletBinding()]
PARAM
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $remoteHost,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $login,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $passwd,
[Parameter(Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[string] $command)
$ExePath = "D:\PLINK.EXE"
$CLine = "-ssh $remoteHost -l $login -pw $passwd $command"
Invoke-Expression "$ExePath $CLine"
$remoteHost = "*****"
$login = "****"
$passwd = "******"
$command= "enable"
plink -remoteHost $remoteHost -login $login -passwd $passwd -command $command
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang -
I use Cisco Firewall (pix501) to Cisco Firewall (pix515) VPN to run off site offices. I am now attempting to connect to my network with an iPad air. What is needed to connect an iPad air to the Cisco Firewall (pix515)?
Jags@GSC wrote:
It appears that my pix515 running at ver 7 might be the issue.
You didn't bother to mention that you had an issue. You still haven't explained what you "issue" is. Maybe you should try contacting Cisco support. -
Good afternoon, I need to publish two mail servers
private IP
192.168.5.2
192.168.5.3
public IP
190.151.8.2
190.151.8.3
Both servers should send emails with IP 190.151.8.4
The configuration would be the next?
nat (Inside, Internet) source static 192.168.5.2 190.151.8.2
nat (Inside, Internet) source static 192.168.5.3 190.151.8.3
dynamic NAT
nat (LAN, Internet) source dynamic 192.168.5.2 190.151.8.4
nat (LAN, Internet) source dynamic 192.168.5.3 190.151.8.4Marco,
You need dynamic for both of them to send emails out and static PAT to receive emails.
Dynamic
object net obj-email1
host 192.168.5.2
nat (inside,outside) dynamic 190.151.8.4
object net obj-email2
host 192.168.5.3
nat (inside,outside) dynamic 190.151.8.4
Static PAT
object net obj-email1-spat
host 192.168.5.2
nat (inside,outside) static 190.151.8.2 service tcp 25 25
object net obj-email2-spat
host 192.168.5.3
nat (inside,outside) static 190.151.8.3 service tcp 25 25
-Kureli
I will be discussing this problem in my webcast on Tue.
https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules
Register today: http://tools.cisco.com/squish/42F25 -
Cisco firewall rate limited syslogs and MARS
We're getting a ton of informational packets (tcp build / teardown) from firewalls here. I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
hope this makes sense - thanksWhat kind of firewall are you running? ASA? FWSM? Something else?
If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL). This feature uses Netflow v9 to handle security event logging along with traffic flow data. Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network.
Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL. Many of those are the same types of logs you mentioned (buildups/teardowns, etc). It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
Configuring Network Secure Event Logging (NSEL)
If you're running a FWSM, the same option isn't available. Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load. In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis: 305010: The address translation slot was deleted 305011: A TCP, UDP, or ICMP address translation slot was created 305012: The address translation slot was deletedTo disable these messages, use the following configuration commands: no logging message 305010 no logging message 305011 no logging message 305012For more aggressive tuning, you may also consider disabling the following messages: 302014: A TCP connection between two hosts was deleted 302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012. And that's straight from Cisco's own documentation.
Now, to expand on that ...
- if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
- similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
Final list:
302013
302014
302015
302016
302020
302021
305010
305011
305012
In the end, though, only you can determine which options are acceptable for your environment.
Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process. -
What Protection Beyond NAT Does SPI Firewall in E4200 Provide?
In the E4200 Cisco has dumbed-down the settings and Help to the point where it's impossible to derive any hard information from the documentation.
My question is this:
In a NAT environment (i.e., where I have a private LAN using 192.168.x.x addresses):
Specifically what additional protection, if any, does enabling the E4200's "SPI Firewall" setting provide?
Please do not answer with basic "It's good, set it" or "It enables the firewall" or what you guess it must do type answers. I'm looking for information beyond that - what I want to know is just what the "SPI Firewall" ENABLED setting is adding in addition to the basic incoming request blocking that's inherent in a NAT setup. Is the router doing additional IP header validation, blocking packets from specific addresses (and if so, who sets the table), etc.?
I have only IPv4 capability through my ISP at the moment, so an answer oriented toward IPv4 will be fine.
Thank you.
-NoelNAT per definition does address translation. It does not provide security. It tries to deliver packets arriving on the public IP address. It tries to find the LAN IP address to which it can deliver an incoming packet. If it can't it will deliver the packet locally (i.e. to the router itself). NAT doesn't filter. NAT doesn't drop packets. It rewrites the destination IP address of packets arriving from the internet if it knows it has to.
The SPI firewall filters traffic. That's the part which drops packets. When you initiate traffic from the LAN to the internet it will remember this session/state and then will allow matching incoming responses from the internet back through (after they went through NAT).
Of course, this means that NAT and firewall go hand-in-hand when a new session is initiated from the LAN:
1. NAT remembers a NAT session to rewrite responses to the correct LAN IP address.
2. SPI remembers a firewall session to let incoming responses go through to the destination.
But still these are two different tables for two different purposes. You may want to do a little reading in the Linux firewall iptables on which the firewall in most cheap routers are built on.
Thus with NAT enabled the major effect of turning off the SPI firewall is to expose the router itself to the internet. All traffic which does not match NAT sessions is delivered locally. If the SPI firewall is off you expose the router to the internet. Of course, most ports are closed thus you won't notice the difference. But as we have only learned recently some routers listen for UPnP on the internet IP address (which they shouldn't of course) and a SPI firewall might have helped here to blocked exactly that traffic.
In addition, you often find that NAT is configured with more "relaxed" settings internally than the firewall. As NAT is not a security measure but an enabling technology to deliver and not to drop you often find that NAT sessions time out (due to inactivity) later than firewall sessions. And NAT sessions usually only time out. They don't keep a session state. But of course this depends on the exact implementation and configuration of Linksys which I don't know.
SPI, however, is also used to do "deep inspection", i.e. not only look at the source/destination IPs/ports but also into the contents of some protocols. For Linksys routers it's usually the URL filtering which checks the contents of HTTP requests. Possibly Cisco/Linksys has implemented more checks there.
So to sum up: without SPI firewall you expose the router to the internet and access restrictions shouldn't work.
And as you may think: with IPv6 the SPI firewall becomes very important as you don't need NAT anymore... -
Configuring New Interface and NAT on Cisco 1900 Series Router.
Hello Cisco Team,
am asking for advise on how to how setup NAT rules and overload on my 2nd interface on my cisco 1900 series router,am not sure where am getting it wrong.
my router has 2 interface, interface one has IP address 10.5.5.5X and plugs into my ASA firwall and into my switch and works just fine.
i have just configured my second Interface with a new IP 172.16.0.X- i want to NAT my new IP address to our public IP address which is 41.77.X.X
my configuration so far are as follows.
GigabitEthernet0/0 172.16.0.X YES manual up up - Not working
GigabitEthernet0/1 10.5.5.X YES NVRAM up up- this works fine
GigabitEthernet0/0/0 41.77.X.X YES NVRAM up upHello Jon,
Thanks for your feedback, my router configuration are as follows.
interface GigabitEthernet0/0
description WL2504
ip address 172.16.0.2 255.255.254.0
duplex auto
speed auto
interface GigabitEthernet0/1
description WAN
ip address 10.55.55.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/0/0
description LINK TO CLT INTERNET
ip address 41.X.X.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type sfp
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 41.X.X.129
ip route 41.X.X.136 255.255.255.248 10.55.55.1
ip route 192.168.0.0 255.255.255.0 10.55.55.1
access-list 1 permit 10.55.55.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
from the router interface interface GigabitEthernet0/0- I will connect it to my wireless Controller WL 2504 -
Static NAT Pre 8.3 ASA no untranlate hits
Hello all---
Having an issue w a pre 8.3 ASA static NAT. The intention is to static nat an antivirus server hanging off our DMZ interface on the ASA- that address being 192.168.255.2….. to one of our public IP address (for the sake of this forum) 44.44.44.44. The ASA DMZ interface is 192.168.255.1.
I’ve configured the static NAT rule and the access ACLs on both the outside interface and dmz interface. For the sake of testing, I used just IP as the service –will restrict it later w the correct service ports once I know it’s working- and for now just have a windows laptop acting as the server for testing.
What I’m seeing is incrementing translate hits, but no untranslated hits at all when performing the command: show nat dmz outside 192.168.255.2 255.255.255.255
match ip dmz host 192.168.255.2 outside any
static translation to 44.44.44.44
translate_hits = 549, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 170905
Also, I see no hits at all on the acl for the outside interface when trying to do a ping or telnet to ports running on the laptop\server.
So, it’s obviously translating out- to the public, but not from the public in to the private. Almost like it’s not reaching that public IP. We have other publics we translate to for other services…..with no issue
Here’s the pertinent lines – pretty simple at this point.
Outside Interface ACL
access-list acl_out line 48 extended permit ip any host 44.44.44.44
DMZ interface ACL
access-list dmz_access_in line 3 extended permit ip any any
NAT Statement on DMZ interface
static (dmz,outside) 44.44.44.44 192.168.255.2 netmask 255.255.255.255
Any help or clarification is appreciated…… thanks Dennis…Try seeing what the ASA is doing with the return traffic using packet tracer utility as follows:
packet-tracer input outside tcp 8.8.8.8 1025 44.44.44.44 23
...substituting the actual public NAT address for the 44.44.44.44 of course. (If you were using 8.3+ you would specify the real end host IP address.)
Here's a link to the command reference for more details. -
Configuring PAT/NAT in cisco routers
hello, first sorry for my bad english
i just wanted to know how configuring PAT (port address translation)
like this :?
amir(config)#ip nat inside source static tcp 192.168.1.1 1000 172.16.1.1 1000
or not?
2nd question i have is:
when i need to write: "ip nat inside source"... and when i need to write "ip nat outside" ..
and the last question for now is:
how i can (if that's possible) to configure dynamic PAT - I mean that any computer on my LAN will go out to the internet with the same address but with diffrent ports - in random mode.(i mean without configuring static one by one)
i hope i was clear enough, tanks a lot!Hi Tiger,
1) Yes your first statement is a static PAT statement which will say source ip with source port 1000 is translated to 172.16.1.1 with same port number but yes it is a static PAT entry.
2) Coming to your 2nd question
"ip nat inside source" is a global config command which says any traffic which hits the inside interface nat the source ip address.
"ip nat inside" is a interface mode command which should be done going to any interface. This command specifies which will be an inside interface which will nat the incoming traffic.
3) Coming to your last question
For dynamic PAT you just need to configure overload command at the end of your nat statement.
This link will give you a very broad and nice picture of how NAT can be configured in different situation
http://www.cisco.com/warp/public/556/12.html#6
HTH
Ankur
Maybe you are looking for
-
Estorno Transferência de estoque
Caros amigos, estou com uma situação complicada aqui na empresa que trabalho. Quando vou fazer um estorno, de uma remessa de transferência de estoque entre centros, aparece a seguinte mensagem de erro. Não se pode registrar saída mercad. para item 00
-
I need help bout iOS 7 on iPad it's saying I gotta visit http:support.apple.com I went in there n still no help
-
Entry VEHICLE missing in table COM_SE_BUSOBJ
Hi Experts, I'm facing an issue in SAP VMS (Vehicle Management System). If I click on the "Find" option in VELO transaction then list of vehicles will be displayed but system throwing following error" Entry VEHICLE missing in table COM_SE_BUSOBJ" Plz
-
Can anyone provide a link for a tutorial on how to use clipboard objects? I am trying to enable copy and paste functions in my application. Thanks in advance, AJ
-
Is there any way to block PDF files sharing from iPad to any another device or cloud? We need to have certain PDFs visible and readable only from iPad.