SPAN traffic to ASA Firewall with Botnet feature
Hi
I create a SPAN port for all our traffic which goes to the internet .
The fraffic from the span will be directed to the ASA FW where botnet filter is active and which has access to the internet
I suppose the ASA must be configured in transparent mode for working .
Thats right ?
Any other issues where I have to pay attention ?
sincerely Alfred
Hello Alfred,
I suppose the ASA must be configured in transparent mode for working .
Thats right ?
Can you tell me why it should be running transparent mode? I don't see any reason for that
Is the traffic going to go out via the ASA FW to the internet or is this some sort of just monitoring implementation ASA?
Regards
Similar Messages
-
Dear,
How to open the following port with ASA running 8.4 version
TCP: 5242 and 4244
UDP: 5243 and 9785
Thanks.Hi,
Do you mean you need to configure Static PAT (Port Forward) for those ports using your ASAs external interface public IP address or do you have a spare public IP address for the internal server/host so that Static NAT can be configured instead?
If you need to configure Static PAT (Port Forward) then you can use these as an example
object network SERVER-TCP5242
host
nat (inside,outside) static interface service tcp 5242 5424
object network SERVER-TCP4244
host
nat (inside,outside) static interface service tcp 4244 4244
object network SERVER-UDP5243
host
nat (inside,outside) static interface service udp 5243 5243
object network SERVER-TCP9785
host
nat (inside,outside) static interface service udp 9785 9785
If you dont have an ACL configured on your external ASA interface yet then you could configure
object network SERVER
host
access-list OUTSIDE-IN remark Allow TCP/5242/4244 and UDP/5243/9785
access-list OUTSIDE-IN permit tcp any object SERVER eq 5242
access-list OUTSIDE-IN permit tcp any object SERVER eq 4244
access-list OUTSIDE-IN permit udp any object SERVER eq 5243
access-list OUTSIDE-IN permit udp any object SERVER eq 9785
access-group OUTSIDE-IN in interface outside
The above configurations are just example names for the objects and ACL. You can use something else if you want. Naturally the interface names might be different but I used the default ones.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
Multiple gateways for different Traffic on ASA 5510 firewall
Hello,
My network atthe moment is set up as:
WAN, with three sites
Site 1
Site 2
Site 3
Site 1 is behind a non-Cisco firewall, which is connected to the internet via a Frame Relay link (using a Cisco 1721 router). We host a number of servers on the Internal network and DMZ's.
All sites connect to the WAN using Cisco routers or switches.
All internet traffic (IN and OUT) for all sites goes via the non-Cisco firewall.
I am interested in the ASA 5510 with six interfaces.
Using the ASA 5510 is it possible to set up two (2) internet connections, one via the Frame Relay and a second internet connection via an ADSL connection?
Then, is it possible to direct the outward-bound traffic via specific gateways based upon either:
(a) the type of traffic, say HTTP from users behind the firewall; or
(b) the IP addresses of the host (i.e. users' PC versus the servers)
Any assistance is welcome.
Kind regards,
IT@Cyes you can do this with policy routing on the internet router in front of the firewall assuming that you are connecting both ISPs to that router. Also, remember that you can do vlans on the ASA. This may cut down on the # of interfaces that you use in your config.
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080636f89.html
HTH, pls rate! -
How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.
How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
JorgeHi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni -
Tacacs+ access issue with ASA firewall after integrating with RSA SecureID
Hi,
In my earlier post, I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
Did any one face similar issue with ASA access ?
Rgds
SiddheshHi Siddesh,
In order to help you here, I need to know few things:
1.] Show run | in aaa
2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
~BR
Jatin Katyal
**Do rate helpful posts** -
Inspect other firewall traffic using ASA 5585-X IPS SSP
Is it possible to inspect traffic from other firewalls (say checkpoint firewall) apart from the one the ASA firewall the ASA IPS SSP is running on?
Any help will be appreciated
O.Hello Amit,
Can you share :
show ips detail
show module 1 details
show service-policy
Now, can you explain a little about this:
on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.
I mean the firewall is the one that will redirect the traffic to the IPS sensor so not sure I follow you!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Configure our own Public IP pool on Cisco ASA firewall
Hey everyone,
I need some assistance on the below requirement...Today we have only one internet circuit connected with our external firewall where we are using /26 public IP address for all external traffic. Now we managed to obtain our own subnet (/24) from ARIN and would like to configure on the firewall/internet router for all external services. Is my approach right in order to configure our own subnet on the firewall?
1. Create a dedicated interface on the Cisco ASA firewall for new public pool...if there is no free interface; then virtual interface also should be fine.
2. Make sure an appropriate route towards Internet router ( or create default route towards OUTSIDE interface)
3. Speak to Internet service provider and explain that you are planning to use this specific public IP address on your n/w and ask them to publish in their BGP world with proper prefix#
4.Implement one external static NAT and make sure everything works as expected.
Thanks in advance Network Experts!!!
Regards
VGSYou have the basics. but I do have a couple comments / questions
1. What ASA are you running? If you do not have a free interface and plan to create subinterfaces, you will need to remove the configuration of one of the interfaces, then create subinterfaces and then re-apply the configuration you removed to one of the subinterfaces there...So, why not just overwrite the existing external interface? Also, keep in mind that the ASA does not support two default routes. (though I have heard some rumours that this might be added to the 9.3 release, but I have not had this confirmed)
4. You don't really say what you are going to use this new setup for, but if you are using it for internet then adding just a static NAT will not be enough, you will also need a dynamic NAT.
Please remember to select a correct answer and rate helpful posts -
ASA Firewall sending emails to Ironport Internal
Hello I have a question about ASA firewall and Ironport devices.
What I have found lately it that ironport is showing that firewall we have here is sending over 1000 emails in a hour which is causing ironport to stop all email traffic inside and outside. How do I find out what is causing this issue.
IP Addresses
My Reports
Sender IP Address
Hostname
Total Attempted
Stopped by Reputation Filtering
Stopped as Invalid Recipients
Spam Detected
Virus Detected
Stopped by Content Filter
Total Threat
Clean
172.16.x.x
xxx.xxx.xxx
2,753
1,047
530
623
43
0
2,243
510
I have pasted a what i saw today
I know that .local is internal communicationHello,
So you see the IP address of the firewall as the source of the email traffic?
This is a huge amount of emails so I doubt this is because of a feature such as smart-call home that allows your ASA to send traffic as an example.
I would think about NAT taking place and then the packet being shown as your firewall IP address before going to the IronPort box.
My recommendation is do captures on the interface where the Email Clients are and the interface where the IronPort sits.
Does it makes sense?
Regards,
Jcarvaja
CCIE 42930, 2xCCNP, JNCIS-SEC
For inmediate support http://iNetworks.cr -
ASA firewall wont ping remote site
We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11 -
Hi, I am getting the following error while booting up cisco asa firewall .
Hi,
I'm getting the following error form console when booting up Cisco ASA firewall...
How do we determine the issue if its hardware or software related?
ERROR: Type:2; Severity:80; Class:1; Subclass:3; Operation: 3Dear Ravi,
You are getting the message of time out because you must be loading huge volume of data and BW runs for a specific peroid of time and then it gives a dump with message as processing is overdue.what you can do is first you should drop the indexes of the cube and then you should manually load the data-packets.I think you can again load the failed data package.select the failed data package in the monitor screen.then go to edit(on upper left next to monitor).In Edit select Init update then select "settings for further update" now select that process should be run in the background.Now right click on the failed datapacket and select Manual update.
Hope this works for you.
With Regards,
Prafulla -
Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config: Any Help would be appreciated.
show config
: Saved
: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
ASA Version 8.4(3)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
<--- More --->
object network obj-192.168.9.2
host 192.168.9.2
object network obj-192.168.1.65
host 192.168.1.65
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Red-Condor
description Email Filtering
network-object host 66.234.112.69
network-object host 66.234.112.89
object-group service NetLink tcp
<--- More --->
port-object eq 36001
object-group network AECSouth
network-object 192.168.11.0 255.255.255.0
object-group service Email_Filter tcp-udp
port-object eq 389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_0 tcp
group-object Email_Filter
port-object eq pop3
port-object eq smtp
object-group network Exchange-Server
description Exchange Server
network-object host 192.168.1.65
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp any object obj-192.168.9.2
access-list outside_access extended permit icmp any any
access-list outside_access extended permit tcp any object-group Exchange-Server eq https
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
<--- More --->
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network obj-192.168.9.2
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.65
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
<--- More --->
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group outside_access in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server isaconn protocol radius
aaa-server isaconn (inside) host 192.168.1.9
timeout 5
key XXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
<--- More --->
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca server
shutdown
<--- More --->
smtp from-address [email protected]
crypto ca certificate chain _SmartCallHome_ServerCA
certificate
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.66.175.36 source outside prefer
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
<--- More --->
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-close
service-policy global_policy global
prompt hostname context
call-home reporting anonymousHello Scott,
So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
object network obj-192.168.1.65
"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
The ACL says
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
From witch ip addresses are you trying to send traffic to the exchange server?
Please do a packet-tracer and give us the output
packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
Regards,
Julio
Rate helpful posts!!! -
P2P blocking on ASA 5525 with Software Version 8.6(1)2
Hello,
We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
We have DMZ setup & also inline IPS module.
Thanks in advance.
Regards,
Sandeshc Chavan.Hi Chavan ,
You can try to block this by port.
The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port).
The config is
Access-list BLOCK-P2P-TRAFFIC deny tcp any any range 6881 6889 log
And applies to the desire interface with the "Access-group command"
For example:
Access-group BLOCK-P2P-TRAFFIC outbound interface DMZ
However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
Also you can execute from the cmd on windows the command netstat -a and check the port Bit torrent is using .
Hope this helps. -
Standard (application-based) firewall with one additional port open?
Lion and Snow Leopard both have application based firewalls. I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java. How can I open one port in addition to leaving the standard firewall in place?
Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw -
WMI query through ASA Firewall
I'm a newbie - please be patient
We have an ASA firewall that has several DMZ VLANs.
A support company that responsible for the SQL Servers wants to use WMI to query server health.
Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
What are everyone’s thoughts on opening up such a large range?
Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
Thanks
PS - if this has already been asked can someone point me to the discussionsHi
I would say that that is a No No
But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
WMI is a bit tough on firewalls.
But there are ways to limit the ports used by WMI
fx you can set it to use Fixed ports. and so on.
Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
Here is a link to solarwinds for people with the same problem.and an answer that seems to work
(i have not tested this) from ASH J Kent. (almost at the bottom)
http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
Here is one from MSDN
http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
Good luck
HTH -
Best way of spanning traffic from ports to remote DC's N7Ks
Hello Team,
I have a site where many voice gateways are going to be located with ISDN30's in place. We need to span the traffic from these ports/vlan to remote DC's (to DC1 and DC2) to a particular VLAN or port (worst case scenario). The remote location consists of 4506E in VSS [the VG's will connect in to here] with 2 ASR 1002x's for WAN with 1 gb point to point links to DC1 and DC2.
In DC1 and DC2 are N7K's - from where the point to point come in to WAN VDC, the traffic needs to go to the LAN VDC to a VM. The LAN and WAN vdc's have L3 connectivity (OSPF)
What are the best ways of doing this...? I was starting to think OTV, however this may not work when spanning to a vlan - I haven't tried - will this work. Of course the solution will have to have resilience so spanning traffic to both DC1 and 2. I have done pseudo-wire before in another setup to accomplish this however this is different in that we may need to span to a vlan.
Thank you
BilalHello, I had already looked in to this, unfortunately won't work, since the requirement is to span to a vlan destination. We end up using dedicated expensive ports for erspan and other solutions so we've decided to keep the recording servers locally at site and every so often FTP to the DC.
Thanks for replying though
Maybe you are looking for
-
Last purchase order and goods receipt for material
Hello to everyone, is there any standard report where I can see the last purchase order and goods receipt for a material? Regards
-
Java.rmi.UnmarshalException:error
hi, A rmi program does not work on my pc but it worked on others pc there are three programs ie RMIServer.java which is the server application ,RMIClient.java which is the client application and RMIInterface.java which has two methods which are remot
-
After renedring. How do you mixdown the audio? Please help. Some of my video/audio, depending upon where I upload it to on the net, sounds tinty or slushy. I have tried almost every audio setting to correct this. I have never "mixed down", what is th
-
Can I filter out jpgs so only RAW files show?
I have my photos organized in folders like this: Photos --2007 ----Family ------02-19_Picnic --------JPGs ------02-20_Stuff --------JPGs etc. When I import everything into Lightroom and I just want to see the images from the 02-19_Picnic folder, it's
-
IPod touch 4th Gen will not update or restore
I've been trying to update my IPod Touch via iTunes and now it is stuck in restore mode. You got to update and download the software but it doesn't install and keeps taking you back to restore but it just downloads the software update again etc etc.